Dr. David von Oheimb [Sat, 12 Dec 2020 20:36:06 +0000 (21:36 +0100)]
make various test CA certs RFC 5280 compliant w.r.t. X509 extensions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)
Jon Spillett [Tue, 19 Jan 2021 03:43:35 +0000 (13:43 +1000)]
apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters
Needed to be able to set the libctx and propq.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)
Jon Spillett [Thu, 20 Aug 2020 05:10:21 +0000 (15:10 +1000)]
test-gendsa: Add test cases with FIPS provider
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)
Dr. David von Oheimb [Mon, 4 Jan 2021 19:27:33 +0000 (20:27 +0100)]
x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()
Also improve list layout of some comments.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13895)
Shane Lontis [Wed, 18 Nov 2020 06:56:29 +0000 (16:56 +1000)]
Remove pkey_downgrade from PKCS7 code
Fixes #12991
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13435)
Dr. David von Oheimb [Sat, 19 Dec 2020 18:50:16 +0000 (19:50 +0100)]
util/check-format.pl: Minor improvements of whitespace checks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13710)
Rich Salz [Sat, 26 Dec 2020 15:21:41 +0000 (10:21 -0500)]
Deprecate OCSP_xxx API for OSSL_HTTP_xxx
Deprecations made:
OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio
Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline. Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod
Fixes #12234
Co-authored-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13742)
Richard Levitte [Mon, 18 Jan 2021 09:09:58 +0000 (10:09 +0100)]
DOCS: Fix the last few remaining pass phrase options references
There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.
Fixes #13883
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13885)
Kurt Roeckx [Thu, 17 Dec 2020 21:28:17 +0000 (22:28 +0100)]
Fix memory leak in mac_newctx() on error
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13702)
Shane Lontis [Fri, 11 Dec 2020 09:24:46 +0000 (19:24 +1000)]
Fix PKCS7 potential segfault
As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)
Shane Lontis [Fri, 11 Dec 2020 09:19:37 +0000 (19:19 +1000)]
CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
Fixes #13624
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)
Tomas Mraz [Thu, 14 Jan 2021 14:19:46 +0000 (15:19 +0100)]
Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.
Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.
Fixes #13411
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13870)
Michael Baentsch [Fri, 15 Jan 2021 10:40:31 +0000 (11:40 +0100)]
Update SERVER_HELLO_MAX_LENGTH
Update constant to maximum permitted by RFC 8446
Fixes #13868
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13874)
Dr. David von Oheimb [Mon, 21 Dec 2020 07:16:30 +0000 (08:16 +0100)]
replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
Dr. David von Oheimb [Sat, 12 Dec 2020 13:07:41 +0000 (14:07 +0100)]
bio_lib.c: Fix error queue entries and return codes on NULL args etc.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
Dr. David von Oheimb [Fri, 11 Dec 2020 18:30:40 +0000 (19:30 +0100)]
X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
Jon Spillett [Wed, 13 Jan 2021 04:10:51 +0000 (14:10 +1000)]
Allow EVP_PKEY private key objects to be created without a public component
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13855)
Richard Levitte [Wed, 13 Jan 2021 23:00:41 +0000 (00:00 +0100)]
Fix incomplete deprecation guard in test/sslapitest.c
OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.
Fixes #13865
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)
Richard Levitte [Wed, 13 Jan 2021 22:55:51 +0000 (23:55 +0100)]
Fix crypto/des/build.info
!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a. Use !$disabled{des} instead.
Fixes #13865
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)
Rich Salz [Tue, 5 Jan 2021 23:05:42 +0000 (18:05 -0500)]
Document openssl thread-safety
Also discuss reference-counting, mutability and safety.
Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13788)
Pauli [Thu, 14 Jan 2021 01:49:47 +0000 (11:49 +1000)]
Remove unused DRBG tests.
The DRBG known answer tests are performed by evp_test and the old vectors
are not used.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13867)
Daniel Bevenius [Wed, 13 Jan 2021 14:30:20 +0000 (15:30 +0100)]
Correct typo in rsa_oaep.c
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13861)
Michael Baentsch [Wed, 13 Jan 2021 10:06:13 +0000 (11:06 +0100)]
Enhance default provider documentation
Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.
Fixes #13844
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13859)
Matt Caswell [Tue, 12 Jan 2021 16:50:17 +0000 (16:50 +0000)]
Fix a failure where fetches can return NULL in multi-threaded code
When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. However only one of those
will get added to the global evp method store. The one that "lost" the
race to add the method to the global evp method store ended up with the
fetch call returning NULL, instead of returning the method that was
already available.
Fixes #13682
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Mon, 11 Jan 2021 17:02:01 +0000 (17:02 +0000)]
Fix an issue in provider_activate_fallbacks()
The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock is
required instead.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Mon, 11 Jan 2021 17:01:07 +0000 (17:01 +0000)]
Extend the threads test to add simple fetch from multi threads
Issue #13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Fri, 8 Jan 2021 13:48:13 +0000 (13:48 +0000)]
Enable locking on the primary DRBG when we create it
The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling that locking
lazily when we attempted to obtain one of the child DRBGs. Part of the
process of enabling the lock, is to create the lock. But if we create the
lock lazily then it is too late - we may race with other threads where each
thread is independently attempting to enable the locking. This results
in multiple locks being created - only one of which "sticks" and the rest
are leaked.
Instead we enable locking on the primary when we first create it. This is
already locked and therefore we cannot race.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Fri, 8 Jan 2021 13:22:59 +0000 (13:22 +0000)]
Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()
The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and therefore we need
to make sure we take the lock before doing so.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Fri, 11 Dec 2020 16:29:25 +0000 (16:29 +0000)]
Lock the provider operation_bits
The provider operation_bits array can see concurrent access by multiple
threads and can be reallocated at any time. Therefore we need to ensure
that it is appropriately locked.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Thu, 10 Dec 2020 16:57:33 +0000 (16:57 +0000)]
Document the core_thread_start upcall
The core_thread_start upcall previously had a placeholder in the docs.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Thu, 10 Dec 2020 15:39:58 +0000 (15:39 +0000)]
Add a test for performing work in multiple concurrent threads
We test both the default provider and the fips provider
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Matt Caswell [Thu, 10 Dec 2020 14:44:25 +0000 (14:44 +0000)]
Fix a crash with multi-threaded applications using the FIPS module
The FIPS implementation of the ossl_ctx_thread_stop function needs to
use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was
assuming that these are the same thing (which was true at one point
during development) - but that is no longer the case. The fix is to
get the OSSL_LIB_CTX out of the provctx.
Fixes #13469
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
Dr. David von Oheimb [Thu, 7 Jan 2021 19:02:39 +0000 (20:02 +0100)]
find_issuer(): When returning an expired issuer, take the most recently expired one
Also point out in the documenting comment that a non-expired issuer is preferred.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13805)
Richard Levitte [Tue, 12 Jan 2021 14:41:10 +0000 (15:41 +0100)]
Make the OSSL_CMP manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13846)
Dmitry Belyavskiy [Wed, 13 Jan 2021 07:51:39 +0000 (08:51 +0100)]
Skip BOM when reading the config file
Fixes #13840
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13857)
David Carlier [Wed, 9 Dec 2020 20:23:32 +0000 (20:23 +0000)]
OPENSSL_cpuid_setup FreeBSD arm update.
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13650)
David Carlier [Sat, 9 Jan 2021 14:17:29 +0000 (14:17 +0000)]
OPENSSL_cpuid_setup FreeBSD PowerPC update
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13821)
Richard Levitte [Tue, 12 Jan 2021 14:44:43 +0000 (15:44 +0100)]
Make header references conform with man-pages(7) in all manuals
Details from man-pages(7) that are used:
Formatting conventions (general)
...
Filenames (whether pathnames, or references to header files) are always
in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐
cluded files are in bold (e.g., #include <stdio.h>). When referring to
a standard header file include, specify the header file surrounded by
angle brackets, in the usual C way (e.g., <stdio.h>).
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13843)
Richard Levitte [Tue, 12 Jan 2021 15:24:10 +0000 (16:24 +0100)]
Make the OSSL_trace manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13842)
Richard Levitte [Tue, 12 Jan 2021 15:13:42 +0000 (16:13 +0100)]
Make the OSSL_PROVIDER manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13845)
Richard Levitte [Tue, 12 Jan 2021 15:05:55 +0000 (16:05 +0100)]
Make the OSSL_HTTP manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13847)
Richard Levitte [Tue, 12 Jan 2021 15:14:43 +0000 (16:14 +0100)]
Make the OSSL_SELF_TEST manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13849)
Richard Levitte [Tue, 12 Jan 2021 15:10:15 +0000 (16:10 +0100)]
Make the OSSL_PARAM manual conform with man-pages(7)
Details from man-pages(7) that are used:
Formatting conventions for manual pages describing functions
...
Variable names should, like argument names, be specified in italics.
...
Formatting conventions (general)
...
Special macros, which are usually in uppercase, are in bold.
Exception: don't boldface NULL.
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13848)
Tomas Mraz [Tue, 12 Jan 2021 15:53:33 +0000 (16:53 +0100)]
chacha20: Properly reinitialize the cipher context with NULL key
Same for chacha20-poly1305.
The test_cipher_reinit and test_cipher_reinit_partialupdate is modified
to test this case of cipher context reinitialization.
Fixes #13064
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13850)
Dr. David von Oheimb [Mon, 11 Jan 2021 06:52:45 +0000 (07:52 +0100)]
x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Wed, 6 Jan 2021 11:16:44 +0000 (12:16 +0100)]
apps/req.c: Make sure -verify option takes effect also with -x509
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Wed, 6 Jan 2021 11:12:25 +0000 (12:12 +0100)]
apps/req.c: Cosmetic improvements of code and documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Fri, 25 Dec 2020 11:10:44 +0000 (12:10 +0100)]
crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Thu, 24 Dec 2020 11:43:39 +0000 (12:43 +0100)]
apps/req.c: Add -copy_extensions option for use with -x509; default: none
Fixes #13708
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Thu, 24 Dec 2020 10:25:47 +0000 (11:25 +0100)]
Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert
Also clean up some related auxiliary functions and documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Thu, 24 Dec 2020 06:42:08 +0000 (07:42 +0100)]
apps/req.c: make -subj work with -x509; clean up related code
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Mon, 21 Dec 2020 14:52:01 +0000 (15:52 +0100)]
X509_PUBKEY_set(): Fix error reporting
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Mon, 21 Dec 2020 12:50:09 +0000 (13:50 +0100)]
apps/lib/opt.c: Fix error message on unknown option/digest
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Sat, 19 Dec 2020 18:49:25 +0000 (19:49 +0100)]
Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Sat, 19 Dec 2020 18:46:14 +0000 (19:46 +0100)]
apps/req.c: add -CA and -CAkey options; improve code and doc
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Thu, 10 Dec 2020 20:02:47 +0000 (21:02 +0100)]
APPS: Allow OPENSSL_CONF to be empty, not loading a config file
Also document the function CONF_get1_default_config_file()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Thu, 10 Dec 2020 14:23:41 +0000 (15:23 +0100)]
apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
Fixes #13603
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Dr. David von Oheimb [Wed, 30 Dec 2020 08:49:20 +0000 (09:49 +0100)]
X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert
This is the upstream fix for #13698 reported for v1.1.1
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13755)
Dr. David von Oheimb [Wed, 30 Dec 2020 08:46:38 +0000 (09:46 +0100)]
d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
Partly fixes #13754
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13755)
Agustin Gianni [Fri, 8 Jan 2021 15:04:05 +0000 (16:04 +0100)]
Fix incorrect use of BN_CTX API
In some edge cases BN_CTX_end was being called without first calling
BN_CTX_start. This creates a situation where the state of the big
number allocator is corrupted and may lead to crashes.
Fixes #13812
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13813)
Matt Caswell [Thu, 7 Jan 2021 17:40:09 +0000 (17:40 +0000)]
Fix enable-weak-ssl-ciphers
Commit
e260bee broke the enable-weak-ssl-ciphers option. The stitched
rc4-hmac-md5 cipher implementation did not recognise the tls_version
parameter, and therefore was being incorrectly handled.
Fixes #13795
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13803)
Dr. David von Oheimb [Mon, 28 Dec 2020 10:25:59 +0000 (11:25 +0100)]
x509_vfy.c: Fix a regression in find_issuer()
...in case the candidate issuer cert is identical to the target cert.
This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
Dr. David von Oheimb [Tue, 29 Dec 2020 11:37:05 +0000 (12:37 +0100)]
Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
Dr. David von Oheimb [Mon, 28 Dec 2020 18:45:01 +0000 (19:45 +0100)]
TEST: move cert, key, and CSR loading aux functions to new testutil/load.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
Dr. David von Oheimb [Mon, 28 Dec 2020 10:27:31 +0000 (11:27 +0100)]
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1
Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
Richard Levitte [Fri, 20 Nov 2020 22:07:56 +0000 (23:07 +0100)]
Clean away extraneous library specific FETCH_FAILED reason codes
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)
Richard Levitte [Sat, 17 Oct 2020 05:07:41 +0000 (07:07 +0200)]
Use centralized fetching errors
We've spread around FETCH_FAILED errors in quite a few places, and
that gives somewhat crude error records, as there's no way to tell if
the error was unavailable algorithms or some other error at such high
levels.
As an alternative, we take recording of these kinds of errors down to
the fetching functions, which are in a much better place to tell what
kind of error it was, thereby relieving the higher level calls from
having to guess.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)
Richard Levitte [Sun, 10 Jan 2021 08:28:58 +0000 (09:28 +0100)]
Remove duplicate GENERATE declarations for .pod files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
Richard Levitte [Sun, 10 Jan 2021 08:26:22 +0000 (09:26 +0100)]
Configure: warn about duplicate GENERATE declarations in build.info files
This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn to avoid future confusion.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
Richard Levitte [Sun, 10 Jan 2021 08:13:14 +0000 (09:13 +0100)]
Configure: clean away perl syntax faults
The faults aren't fatal (i.e. perl just shrugs), but are curious.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
Richard Levitte [Sun, 10 Jan 2021 08:08:46 +0000 (09:08 +0100)]
Configure: Check all SOURCE declarations, to ensure consistency
If the given sources are GENERATEd, we check those generators as well.
This ensures that the declarations in the diverse build.info files are
consistent with existing files.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
Dr. Matthias St. Pierre [Sat, 9 Jan 2021 16:29:47 +0000 (17:29 +0100)]
v3_ocsp.c: fix indentation of include directives
Fixes #13820
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13822)
John Baldwin [Thu, 7 Jan 2021 22:09:41 +0000 (14:09 -0800)]
Close /dev/crypto file descriptor after CRIOGET ioctl().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13807)
Dr. David von Oheimb [Thu, 7 Jan 2021 09:16:12 +0000 (10:16 +0100)]
APPS: Print help also on -h and --h; print high-level help when no cmd given
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13799)
Dr. David von Oheimb [Thu, 7 Jan 2021 08:00:02 +0000 (09:00 +0100)]
APPS: Fix confusion between program and app/command name used in diagnostic/help output
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13799)
Dr. David von Oheimb [Tue, 22 Dec 2020 09:28:03 +0000 (10:28 +0100)]
apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
Dr. David von Oheimb [Tue, 22 Dec 2020 07:37:03 +0000 (08:37 +0100)]
apps/pkey.c: Re-order help output and option documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
Dr. David von Oheimb [Tue, 15 Dec 2020 13:30:38 +0000 (14:30 +0100)]
apps/pkey.c: Make clear that -passout is not supported for DER output
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
Dr. David von Oheimb [Thu, 10 Dec 2020 16:10:52 +0000 (17:10 +0100)]
apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13712)
Sahana Prasad [Fri, 8 Jan 2021 15:26:21 +0000 (16:26 +0100)]
doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free()
instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13814)
anupamam13 [Mon, 2 Nov 2020 12:20:11 +0000 (17:50 +0530)]
Fix for negative return value from `SSL_CTX_sess_accept()`
Fixes #13183
From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:
- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
"Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
default context is decremented. Hence giving a negative value.
This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13297)
Romain Geissler [Thu, 7 Jan 2021 16:54:58 +0000 (16:54 +0000)]
Fix simpledynamic test compilation when condigured without DSO support.
This fixes this compilation error:
In file included from test/simpledynamic.c:13:
test/simpledynamic.h:39:35: error: unknown type name 'SD'
39 | int sd_load(const char *filename, SD *sd, int type);
| ^~
test/simpledynamic.h:40:12: error: unknown type name 'SD'
40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
| ^~
test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM'
40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
| ^~~~~~
test/simpledynamic.h:41:14: error: unknown type name 'SD'
41 | int sd_close(SD lib);
| ^~
make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1
make[1]: *** Waiting for unfinished jobs....
In file included from test/moduleloadtest.c:19:
test/simpledynamic.h:39:35: error: unknown type name 'SD'
39 | int sd_load(const char *filename, SD *sd, int type);
| ^~
test/simpledynamic.h:40:12: error: unknown type name 'SD'
40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
| ^~
test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM'
40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
| ^~~~~~
test/simpledynamic.h:41:14: error: unknown type name 'SD'
41 | int sd_close(SD lib);
| ^~
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13802)
Thomas De Schampheleire [Mon, 21 Dec 2020 14:17:24 +0000 (15:17 +0100)]
replace 'unsigned const char' with 'const unsigned char'
The openssl code base has only a few occurrences of 'unsigned const char'
(15 occurrences), compared to the more common 'const unsigned char' (4420
occurrences).
While the former is not illegal C, mixing the 'const' keyword (a 'type
qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a
bit odd.
The background for writing this patch is not to be pedantic, but because
the 'opmock' program (used to mock headers for unit tests) does not accept
the 'unsigned const char' construct. While this definitely is a bug in
opmock or one of its dependencies, openssl is the only piece of software we
are using in combination with opmock that has this construct.
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13722)
Nicola Tuveri [Tue, 10 Nov 2020 10:28:52 +0000 (12:28 +0200)]
[test][pkey_check] Add more invalid SM2 key tests
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
Nicola Tuveri [Mon, 9 Nov 2020 23:11:48 +0000 (01:11 +0200)]
Add SM2 private key range validation
According to the relevant standards, the valid range for SM2 private
keys is [1, n-1), where n is the order of the curve generator.
For this reason we cannot reuse the EC validation function as it is, and
we introduce a new internal function `sm2_key_private_check()`.
Partially fixes https://github.com/openssl/openssl/issues/8435
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
Nicola Tuveri [Mon, 9 Nov 2020 21:34:00 +0000 (23:34 +0200)]
[test][pkey_check] Add invalid SM2 key test
SM2 private keys have different validation requirements than EC keys:
this test checks one corner case highlighted in
https://github.com/openssl/openssl/issues/8435
As @bbbrumley mentioned in
https://github.com/openssl/openssl/issues/8435#issuecomment-
720504282
this only fixes the absence of a regression test for validation of this
kind of boundary issues for decoded SM2 keys.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
Nicola Tuveri [Mon, 9 Nov 2020 20:35:28 +0000 (22:35 +0200)]
[apps/pkey] Return error on failed `-[pub]check`
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
Nicola Tuveri [Mon, 9 Nov 2020 20:34:18 +0000 (22:34 +0200)]
[test] Add `pkey -check` validation tests
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
Michael Baentsch [Thu, 7 Jan 2021 08:09:32 +0000 (09:09 +0100)]
Adding TLS group name retrieval
Function SSL_group_to_name() added, together with documentation and tests.
This now permits displaying names of internal and external
provider-implemented groups.
Partial fix of #13767
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13785)
Billy Brumley [Tue, 5 Jan 2021 11:08:09 +0000 (13:08 +0200)]
[crypto/dh] side channel hardening for computing DH shared keys
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13783)
Matt Caswell [Thu, 10 Dec 2020 10:36:23 +0000 (10:36 +0000)]
Ensure DTLS free functions can handle NULL
Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.
Fixes #13649
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13655)
Otto Hollmann [Tue, 20 Oct 2020 10:47:55 +0000 (12:47 +0200)]
Remove extra space.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12100)
Otto Hollmann [Mon, 19 Oct 2020 14:25:26 +0000 (16:25 +0200)]
Fixed error and return code.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12100)
Otto Hollmann [Mon, 19 Oct 2020 08:05:57 +0000 (10:05 +0200)]
Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12100)
Otto Hollmann [Tue, 9 Jun 2020 13:50:12 +0000 (15:50 +0200)]
Fix set_ciphersuites ignore unknown ciphers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12100)
Matt Caswell [Thu, 7 Jan 2021 13:48:32 +0000 (13:48 +0000)]
Prepare for 3.0 alpha 11
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Matt Caswell [Thu, 7 Jan 2021 13:48:10 +0000 (13:48 +0000)]
Prepare for release of 3.0 alpha 10
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Matt Caswell [Thu, 7 Jan 2021 13:38:50 +0000 (13:38 +0000)]
Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13800)
Matt Caswell [Mon, 4 Jan 2021 17:29:35 +0000 (17:29 +0000)]
Only perform special TLS handling if TLS has been configured
Skip over special TLS steps for stream ciphers if we haven't been
configured for TLS.
Fixes #12528
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13774)
David CARLIER [Mon, 4 Jan 2021 16:42:47 +0000 (16:42 +0000)]
Mac M1 setting change proposal.
Running tests takes very long with the current setting while it takes a
lot shorter time with this change.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13771)