openssl.git
5 months agoRename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'
Dr. Matthias St. Pierre [Thu, 15 Oct 2020 09:55:50 +0000 (12:55 +0300)]
Rename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'

This change makes the naming more consistent, because three different terms
were used for the same thing. (The term libctx was used by far most often.)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)

5 months agoRename OPENSSL_CTX prefix to OSSL_LIB_CTX
Dr. Matthias St. Pierre [Thu, 15 Oct 2020 09:55:50 +0000 (12:55 +0300)]
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX

Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.

The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)

5 months agoMake evp_pkey_ctx_get0_libctx/propq public API
Matt Caswell [Mon, 12 Oct 2020 16:12:03 +0000 (17:12 +0100)]
Make evp_pkey_ctx_get0_libctx/propq public API

These were previously added as an internal API. But since the CMS code
needs them, other code might do too.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months agoRemove some more CMS key downgrades
Matt Caswell [Tue, 6 Oct 2020 16:02:45 +0000 (17:02 +0100)]
Remove some more CMS key downgrades

Fixes #12983

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months agoRemove CMS recipient info information out of the algorithm implementations
Matt Caswell [Wed, 7 Oct 2020 14:59:28 +0000 (15:59 +0100)]
Remove CMS recipient info information out of the algorithm implementations

Low level algorithm implementations have no business knowing about details
of the higher level CMS concept. This knowledge is therefore moved into the
CMS layer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months agoMove CMS signing code out of the algorithms and into CMS
Matt Caswell [Wed, 7 Oct 2020 13:45:22 +0000 (14:45 +0100)]
Move CMS signing code out of the algorithms and into CMS

There is a large amount of CMS sepcific code in the algorithms. This is in
the wrong place and breaks layering. This code should be in the CMS layer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months agoMove CMS enveloping code out of the algorithms and into CMS
Matt Caswell [Tue, 6 Oct 2020 15:02:43 +0000 (16:02 +0100)]
Move CMS enveloping code out of the algorithms and into CMS

There is quite a large amount of algorithm specific CMS code sitting in
the algorithm directories. However, this seems to break layering.
Algorithms really have no business knowing anything about CMS. Really it
should be the other way around. Where there is algorithm specific CMS code
it is the CMS layer that should know how to handle different algorithms.

Therefore we move this code into the CMS layer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months agoRemove a CMS key downgrade
Matt Caswell [Fri, 2 Oct 2020 10:25:25 +0000 (11:25 +0100)]
Remove a CMS key downgrade

We were downgrading a key in the CMS code. This is no longer necessary.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)

5 months ago[test][tls-provider] Implement KEM algorithm
Nicola Tuveri [Mon, 28 Sep 2020 05:37:13 +0000 (08:37 +0300)]
[test][tls-provider] Implement KEM algorithm

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months ago[ssl] Support ssl_encapsulate on server side
Nicola Tuveri [Mon, 28 Sep 2020 01:32:03 +0000 (04:32 +0300)]
[ssl] Support ssl_encapsulate on server side

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months ago[ssl] Support ssl_decapsulate on client side
Nicola Tuveri [Mon, 28 Sep 2020 00:45:30 +0000 (03:45 +0300)]
[ssl] Support ssl_decapsulate on client side

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months agoDefine OSSL_CAPABILITY_TLS_GROUP_IS_KEM
Nicola Tuveri [Sun, 27 Sep 2020 23:16:29 +0000 (02:16 +0300)]
Define OSSL_CAPABILITY_TLS_GROUP_IS_KEM

Note that with this commit the optional parameter is introduced, but
libssl still ignores it.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months ago[test][tls-provider] Add 2nd pluggable tls group for KEM
Nicola Tuveri [Sun, 27 Sep 2020 22:58:24 +0000 (01:58 +0300)]
[test][tls-provider] Add 2nd pluggable tls group for KEM

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months ago[test][sslapitest] Add test for pluggable KEM group
Nicola Tuveri [Sun, 27 Sep 2020 22:26:41 +0000 (01:26 +0300)]
[test][sslapitest] Add test for pluggable KEM group

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months ago[test][tls-provider] Group xor_group properties in a struct
Nicola Tuveri [Sun, 27 Sep 2020 22:05:27 +0000 (01:05 +0300)]
[test][tls-provider] Group xor_group properties in a struct

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)

5 months agoUse __BYTE_ORDER__ to test the endianness when available
Kurt Roeckx [Sat, 11 Jul 2020 15:17:09 +0000 (17:17 +0200)]
Use __BYTE_ORDER__ to test the endianness when available

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #13085

6 months agosyscall_random(): don't fail if the getentropy() function is a dummy
Yury Is [Mon, 12 Oct 2020 23:24:52 +0000 (02:24 +0300)]
syscall_random(): don't fail if the getentropy() function is a dummy

Several embedded toolchains may provide dummy implemented getentropy()
function which always returns -1 and sets errno to the ENOSYS.

As a result the function SSL_CTX_new() fails to create a new context.

Fixes #13002

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13114)

6 months agoReconciled c99 and loader arguments for float on NonStop TNS/E and TNS/X.
Randall S. Becker [Fri, 9 Oct 2020 21:17:34 +0000 (15:17 -0600)]
Reconciled c99 and loader arguments for float on NonStop TNS/E and TNS/X.

The default settings are now IEEE float.

CLA: Permission is granted by the author to the ITUGLIB team to use these modifications.

Fixes #12919

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13108)

6 months agoEVP: Take care of locks when downgrading an EVP_PKEY
Richard Levitte [Fri, 25 Sep 2020 07:28:14 +0000 (09:28 +0200)]
EVP: Take care of locks when downgrading an EVP_PKEY

The temporary copy that's made didn't have a lock, which could end up
with a crash.  We now handle locks a bit better, and take extra care to
lock it and keep track of which lock is used where and which lock is
thrown away.

Fixes #12876

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12978)

6 months agoFixed typo in ssl_lib.c
Ikko Ashimine [Mon, 12 Oct 2020 15:30:07 +0000 (00:30 +0900)]
Fixed typo in ssl_lib.c

orignal -> original

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13111)

6 months agoMake TAP::Harness and TAP::Parser optional.
Rainer Jung [Tue, 21 Jul 2020 09:32:02 +0000 (11:32 +0200)]
Make TAP::Harness and TAP::Parser optional.

In OpenSSL 1.1.1 the script run_tests.pl has an effectiver
workaround to fall back to Test::Harness, if TAP::Harness
is not available. That code has substantially changed,
but it seems it should still fall back but doesn't.

Observed on SuSE Linux Enterprise Server 11 (SLES11).

Error messages:

Can't locate TAP/Parser.pm in @inc (@inc contains: /path/to/bld/openssl300/test/../util/perl /path/to/local/perl/lib/perl5 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .) at /path/to/local/perl/lib/perl5/parent.pm line 20.
BEGIN failed--compilation aborted at /path/to/bld/openssl300/test/run_tests.pl line 131.

and

Can't locate TAP/Harness.pm in @inc (@inc contains: /path/to/bld/openssl300/test/../util/perl /path/to/local/perl/lib/perl5 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .) at /path/to/local/perl/lib/perl5/parent.pm line 20.
BEGIN failed--compilation aborted at /path/to/bld/openssl300/test/run_tests.pl line 215.

Concerning the fix: the docs for parent.pm show, that without
the "-norequire" it puts the require statement in a BEGIN block
which probably runs before the eval, to the loading is no
longer encapsulated by the eval. Without the additional require
line, the loading doesn't happen at all, so the availability
testing fails. Combining the "-norequire" and an explicit
"require" worked for me.

Tested on the original problem platform SLES 11, but also on
SLES 12 and 15, RHEL 6, 7 and 8 plus Solaris 10 Sparc.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12500)

6 months agoDocument how deprecation should be done
Richard Levitte [Tue, 6 Oct 2020 14:11:17 +0000 (16:11 +0200)]
Document how deprecation should be done

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoOpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC
Richard Levitte [Mon, 5 Oct 2020 05:55:14 +0000 (07:55 +0200)]
OpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoAdd PEM declaration macros that take attributes
Richard Levitte [Sun, 4 Oct 2020 10:51:42 +0000 (12:51 +0200)]
Add PEM declaration macros that take attributes

This makes it possible to easily deprecated selections of PEM
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoAdd ASN1 declaration macros that take attributes
Richard Levitte [Sun, 4 Oct 2020 10:20:17 +0000 (12:20 +0200)]
Add ASN1 declaration macros that take attributes

This makes it possible to easily deprecated selections of ASN1
functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoMake OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently
Richard Levitte [Sun, 4 Oct 2020 09:51:20 +0000 (11:51 +0200)]
Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently

The triggering macro that decides if a symbol is to be considered
deprecated is OPENSSL_NO_DEPRECATEDIN_x_y[_z].  OpenSSL::ParseC
renames any OPENSSL_NO_DEPRECATED_x_y[_z] by inserting "IN".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoAdd convenience macros OSSL_DEPRECATEDIN_{major}_{minor}
Richard Levitte [Sun, 4 Oct 2020 09:13:28 +0000 (11:13 +0200)]
Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}

As opposed to DEPRECATEDIN_{major}_{minor}(), any use of these macros must
be guarded with a corresponding OPENSSL_NO_DEPRECATED_{major}_{minor}:

    #ifndef OPENSSL_NO_DEPRECATED_3_0
    OSSL_DEPRECATEDIN_3_0 int RSA_size(const RSA *rsa);
    #endif

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoAdd definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC
Richard Levitte [Sat, 3 Oct 2020 07:45:24 +0000 (09:45 +0200)]
Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC

It turns out that they have __declspec(deprecated) that correspond
pretty much to GCC's __attribute__((deprecated)), including for
messages.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoChange OSSL_DEPRECATED to take a version argument
Richard Levitte [Sat, 3 Oct 2020 07:33:32 +0000 (09:33 +0200)]
Change OSSL_DEPRECATED to take a version argument

The macro value is changed to use deprecation messages where whose are
supported.

We also add the macro OSSL_DEPRECATED_FOR(), to be used whenever an
additional message text is desirable, for example to tell the user
what the deprecated is replaced with.  Example:

    OSSL_DEPRECATED_FOR(3.0,"use EVP_PKEY and EVP_PKEY_size() instead")
    int RSA_size(const RSA *rsa);

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agoAdd a macro OSSL_DEPRECATED for compiler dependent deprecation attributes
Richard Levitte [Sat, 3 Oct 2020 07:26:36 +0000 (09:26 +0200)]
Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes

The diverse DEPRECATEDIN_x_y_z macros are rewritten in terms of this macro.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)

6 months agocoverity 1403324 negative array index: check for finding an unknown value and error...
Pauli [Thu, 8 Oct 2020 23:36:50 +0000 (09:36 +1000)]
coverity 1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

6 months agocoverity 1414446 out-of-bounds access: allocate \0 terminator byte to be safe
Pauli [Thu, 8 Oct 2020 23:32:04 +0000 (09:32 +1000)]
coverity 1414446 out-of-bounds access: allocate \0 terminator byte to be safe

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

6 months agovms: move otherwise dead code into the VMS relevant path.
Pauli [Thu, 8 Oct 2020 00:25:06 +0000 (10:25 +1000)]
vms: move otherwise dead code into the VMS relevant path.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)

6 months agoAdapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()
Richard Levitte [Mon, 5 Oct 2020 12:27:37 +0000 (14:27 +0200)]
Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()

The functions i2d_PrivateKey(), try_key_value() i store_result.c and
X509_PUBKEY_set() were all essentially duplicating this functionality
to some degree.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)

6 months agoENCODER / DECODER: Add functions to encode/decode to/from a buffer
Richard Levitte [Mon, 5 Oct 2020 12:23:55 +0000 (14:23 +0200)]
ENCODER / DECODER: Add functions to encode/decode to/from a buffer

This adds OSSL_ENCODER_to_data() and OSSL_DECODER_from_data().  These
functions allow fairly simple rewrites of type-specific i2d and d2i
calls.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)

6 months agoFix diverse ERR code conflicts
Richard Levitte [Thu, 8 Oct 2020 06:11:32 +0000 (08:11 +0200)]
Fix diverse ERR code conflicts

There was a number of potential range conflicts between reason codes
from different places.  Library specific reason codes are allowed to
start at 100, so it means that anything "global" is limited to the
range 1..99.
At the same time, we have the ERR_R_LIB_xxx reason codes, which have
the same numbers as ERR_LIB_xxx, potential range 1..255.
And then we have the common ERR_R_ reason codes, potential range in
OpenSSL 1.1.1 is 1..99, where fatal reasons occupy 64..99.  For
OpenSSL 3.0-dev, the range for the common reason codes was pushed up
to 64..99 in an attempt to reduce the conflicts with the ERR_R_LIB_xxx
reason codes.

Currently existing conflicts in OpenSSL 1.1.1:

ERR_R_BUF_LIB and ERR_R_PASSED_INVALID_ARGUMENT have the same code.

There are currently no existing conflicts in OpenSSL 3.0-dev, but
considering that ERR_LIB_HTTP is 61, a few more modules and associated
ERR_R_LIB_xxx are going to sniff awfully close to 64, where the
common ERR_R_ codes currently start.

To avoid these range conflicts, the strategy to recognise common
reason codes is change to depend on a reason flag, ERR_RFLAG_COMMON,
and the common error codes themselves have moved start at 256, giving
them the potential range 256..2^18-1, and thus allowing ERR_R_LIB_xxx
the full range of library codes, 1..255.

The dual purpose ERR_R_FATAL is also handled in this change, by
allowing the rflags and reason codes to overlap by 1 bit, and make
both ERR_R_FATAL and ERR_RFLAG_FATAL have the same value, 2^18.

With this change, there's no need to worry about reason code conflicts
any more, every library specific range as well as the common range is
1..2^18-1.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13093)

6 months agomake ordinals
Richard Levitte [Thu, 8 Oct 2020 05:22:38 +0000 (07:22 +0200)]
make ordinals

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

6 months agoModify util/mknum.pl to drop new symbols that don't exist any more
Richard Levitte [Thu, 8 Oct 2020 04:30:35 +0000 (06:30 +0200)]
Modify util/mknum.pl to drop new symbols that don't exist any more

This makes use of the writer filters in OpenSSL::Ordinals.

Fixes #10395

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

6 months agoOpenSSL::Ordinals: Add options for the writing functions
Richard Levitte [Thu, 8 Oct 2020 04:27:51 +0000 (06:27 +0200)]
OpenSSL::Ordinals: Add options for the writing functions

OpenSSL::Ordinals::rewrite() and OpenSSL::Ordinals::write() now take
options, that are simply passed to OpenSSL::Ordinals::items().  The
'sort' option is forbidden, though, since write() already uses it, but
that means it's possible to filter the output.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)

6 months agoINSTALL.md: Drop trailing spaces on a line
Tomas Mraz [Thu, 8 Oct 2020 15:24:44 +0000 (17:24 +0200)]
INSTALL.md: Drop trailing spaces on a line

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/13097)

6 months agoDisabled symbol_presence test on NonStop due to different nm format.
Randall S. Becker [Tue, 29 Sep 2020 20:21:38 +0000 (15:21 -0500)]
Disabled symbol_presence test on NonStop due to different nm format.

CLA: trivial
Fixes #12996

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13036)

6 months agoSet mark and pop error in d2i_PrivateKey_ex
Daniel Bevenius [Mon, 5 Oct 2020 06:14:29 +0000 (08:14 +0200)]
Set mark and pop error in d2i_PrivateKey_ex

This commit sets the error mark before calling old_priv_decode and if
old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the
errors are popped to the previously set mark.

The motivation for this is an issue we found when linking Node.js
against OpenSSL 3.0. Details can be found in the link below and the
test case provided in this commit attempts cover this.

Refs: https://github.com/danbev/learning-libcrypto#asn1-wrong-tag-issue
Refs: https://github.com/nodejs/node/issues/29817

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13073)

6 months agoFix zero-length content verification in S/MIME format
Dmitry Belyavskiy [Wed, 7 Oct 2020 10:23:01 +0000 (13:23 +0300)]
Fix zero-length content verification in S/MIME format

Fixes #13082

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13087)

6 months agoTests for processing zero-length content in SMIME format
Dmitry Belyavskiy [Wed, 7 Oct 2020 10:05:28 +0000 (13:05 +0300)]
Tests for processing zero-length content in SMIME format

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13087)

6 months agoCorrect and simplify use of ERR_clear_error() etc. for loading DSO libs
Dr. David von Oheimb [Wed, 30 Sep 2020 11:50:34 +0000 (13:50 +0200)]
Correct and simplify use of ERR_clear_error() etc. for loading DSO libs

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13045)

6 months agoAllow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
André Klitzing [Wed, 18 Mar 2020 15:04:06 +0000 (16:04 +0100)]
Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE

This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.

This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.

CLA: trivial
Fixes #11297

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13083)

6 months agoFix the decoder start type handling
Matt Caswell [Thu, 1 Oct 2020 16:17:58 +0000 (17:17 +0100)]
Fix the decoder start type handling

If an explicit decoder start type was provided then it wasn't being
handled correctly in all cases. Specifically if a PEM start type was
provided then the decoder would fail.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13050)

6 months agoAdd a test for encoding and decoding of parameters files
Matt Caswell [Thu, 1 Oct 2020 14:34:24 +0000 (15:34 +0100)]
Add a test for encoding and decoding of parameters files

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13050)

6 months agoFix encoding of DHX parameters files
Matt Caswell [Thu, 1 Oct 2020 14:33:14 +0000 (15:33 +0100)]
Fix encoding of DHX parameters files

We were getting confused with DHX parameters and encoding them as PKCS3
DH parameters instead.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13050)

6 months agoExpose PKCS7_get_octet_string and PKCS7_type_is_other
Jordan Montgomery [Fri, 2 Oct 2020 06:02:52 +0000 (23:02 -0700)]
Expose PKCS7_get_octet_string and PKCS7_type_is_other

Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface.
Fixes #11139

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13059)

6 months agoDocument install_fips in INSTALL.md
Richard Levitte [Tue, 6 Oct 2020 16:14:12 +0000 (18:14 +0200)]
Document install_fips in INSTALL.md

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

6 months agoproviders/build.info: Tag the FIPS module, for the build file
Richard Levitte [Tue, 29 Sep 2020 16:32:34 +0000 (18:32 +0200)]
providers/build.info: Tag the FIPS module, for the build file

The build file templates have code to pick up the 'fips' attribute and
thereby find out what module is the FIPS without having to resort to
ugly hard coding.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

6 months agodescrip.mms.tmpl: Add a target to install the FIPS module config
Richard Levitte [Tue, 29 Sep 2020 16:31:58 +0000 (18:31 +0200)]
descrip.mms.tmpl: Add a target to install the FIPS module config

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

6 months agowindows-makefile.tmpl: Add a target to install the FIPS module config
Richard Levitte [Tue, 29 Sep 2020 16:31:44 +0000 (18:31 +0200)]
windows-makefile.tmpl: Add a target to install the FIPS module config

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

6 months agounix-Makefile.tmpl: Add a target to install the FIPS module config
Richard Levitte [Tue, 29 Sep 2020 09:11:38 +0000 (11:11 +0200)]
unix-Makefile.tmpl: Add a target to install the FIPS module config

Fixes #12195

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

6 months agoERR: fix comment typo in err.c
Daniel Bevenius [Mon, 5 Oct 2020 13:08:15 +0000 (15:08 +0200)]
ERR: fix comment typo in err.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13076)

6 months agoocsp.h: Fix backward compatibility declaration of OCSP_parse_url()
Dr. David von Oheimb [Mon, 5 Oct 2020 20:56:54 +0000 (22:56 +0200)]
ocsp.h: Fix backward compatibility declaration of OCSP_parse_url()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13077)

6 months agoapps: remove internal/cryptlib.h include that isn't used
Pauli [Wed, 30 Sep 2020 10:17:55 +0000 (20:17 +1000)]
apps: remove internal/cryptlib.h include that isn't used

[extended tests]

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13047)

6 months agorsa: add ossl_ prefix to internal rsa_ calls.
Pauli [Wed, 30 Sep 2020 04:20:14 +0000 (14:20 +1000)]
rsa: add ossl_ prefix to internal rsa_ calls.

The functions being:
    rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff,
    rsa_check_prime_factor, rsa_check_prime_factor_range,
    rsa_check_private_exponent, rsa_check_public_exponent,
    rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata,
    rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30,
    rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names,
    rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid,
    rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx,
    rsa_padding_add_PKCS1_type_2_with_libctx,
    rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS,
    rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata,
    rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted,
    rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg,
    rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults,
    rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg,
    rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen,
    rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata,
    rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params,
    rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private,
    rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq,
    rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test,
    rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise,
    rsa_validate_private and rsa_validate_public.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13040)

6 months agoAvoid memory leak of parent on allocation failure for child structure
Benny Baumann [Thu, 1 Oct 2020 23:06:12 +0000 (01:06 +0200)]
Avoid memory leak of parent on allocation failure for child structure

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)

6 months agoUse size of target buffer for allocation
Benny Baumann [Thu, 1 Oct 2020 23:04:06 +0000 (01:04 +0200)]
Use size of target buffer for allocation

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)

6 months agoMove CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/
Dr. David von Oheimb [Mon, 21 Sep 2020 12:14:33 +0000 (14:14 +0200)]
Move CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12934)

6 months agoTest.pm: Add result_dir and export both result_dir and result_file
Dr. David von Oheimb [Wed, 23 Sep 2020 16:58:17 +0000 (18:58 +0200)]
Test.pm: Add result_dir and export both result_dir and result_file

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12934)

6 months agoChange CVE link style in CHANGES and NEWS
Dr. Matthias St. Pierre [Thu, 24 Sep 2020 06:11:00 +0000 (08:11 +0200)]
Change CVE link style in CHANGES and NEWS

Replace [collapsed reference links][] for the CVEs by
[shortcut reference links], in order to to improve the
readability of the raw markdown text.

Consistently add parentheses around the CVE links at the
end of the CVE descriptions. (The NEWS file already had
the parentheses, in the CHANGES file they where missing.)

[collapsed reference links]:
  https://github.github.com/gfm/#collapsed-reference-link

[shortcut reference links]:
  https://github.github.com/gfm/#shortcut-reference-link

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)

6 months agoUpdate CHANGES and NEWS for 1.1.1h release
Dr. Matthias St. Pierre [Thu, 24 Sep 2020 05:58:52 +0000 (07:58 +0200)]
Update CHANGES and NEWS for 1.1.1h release

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)

6 months agoffc: add _ossl to exported but internal functions
Pauli [Wed, 30 Sep 2020 05:07:24 +0000 (15:07 +1000)]
ffc: add _ossl to exported but internal functions

The functions updated are:
    ffc_generate_private_key, ffc_named_group_from_uid,
    ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify,
    ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate,
    ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate,
    ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp,
    ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name,
    ffc_params_flags_to_name, ffc_params_fromdata,
    ffc_params_get0_pqg, ffc_params_get_validate_params,
    ffc_params_init, ffc_params_print, ffc_params_set0_j,
    ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex,
    ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed,
    ffc_params_set_validate_params, ffc_params_simple_validate,
    ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest,
    ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key
    and ffc_validate_public_key_partial.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13041)

6 months agodoc: remove duplicated code in example
Pauli [Wed, 30 Sep 2020 10:01:02 +0000 (20:01 +1000)]
doc: remove duplicated code in example

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13048)

6 months agoSome OIDs used in Russian X.509 certificates.
Dmitry Belyavskiy [Fri, 22 Feb 2019 15:36:00 +0000 (18:36 +0300)]
Some OIDs used in Russian X.509 certificates.

OBJ_OGRNIP denotes a specific legal status of the certificate owner.
OBJ_classSignTool* denotes a level of certification of the software
created the certificate.

http://www.garant.ru/products/ipo/prime/doc/70033464/ is the relevant
link (in Russian).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8309)

6 months agoAPPS: Reduce deprecation warning suppression - ENGINE
Richard Levitte [Wed, 30 Sep 2020 16:01:06 +0000 (18:01 +0200)]
APPS: Reduce deprecation warning suppression - ENGINE

Some of our apps turn off deprecation warnings solely for the sake of
ENGINE, and thereby shadowing other deprecations that we should take
better care of.

To solve this, all apps ENGINE functionality is move to one file,
where deprecation warning suppression is activate, and the same
suppression can then easily be removed in at least some of the apps.
Any remaining suppression that we still need to deal with should
happen as separate efforts.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13044)

6 months agoDECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
Richard Levitte [Fri, 2 Oct 2020 12:21:51 +0000 (14:21 +0200)]
DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()

There is some data that is very difficult to guess.  For example, DSA
parameters and X9.42 DH parameters look exactly the same, a SEQUENCE
of 3 INTEGER.  Therefore, callers may need the possibility to select
the exact keytype that they expect to get.

This will also allow use to translate d2i_TYPEPrivateKey(),
d2i_TYPEPublicKey() and d2i_TYPEParams() into OSSL_DECODER terms much
more smoothly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13061)

6 months agoDECODER: Handle abstract object data type
Richard Levitte [Fri, 2 Oct 2020 11:56:54 +0000 (13:56 +0200)]
DECODER: Handle abstract object data type

The PEM->DER decoder passes the data type of its contents, something
that decoder_process() ignored.

On the other hand, the PEM->DER decoder passed nonsense.

Both issues are fixed here.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13060)

6 months agoConfiguration: add initial NonStop values in OpenSSL::config
Richard Levitte [Thu, 24 Sep 2020 20:00:16 +0000 (22:00 +0200)]
Configuration: add initial NonStop values in OpenSSL::config

This makes Configure work it's automatic config detection, at least for
the simple straightforward cases.

Fixes #12972

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12973)

6 months agoEnsure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV
drgler [Thu, 1 Oct 2020 19:20:33 +0000 (21:20 +0200)]
Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV

Since glibc 2.8, these defines like `NI_MAXHOST` are exposed only
if suitable feature test macros are defined, namely: _GNU_SOURCE,
_DEFAULT_SOURCE (since glibc 2.19), or _BSD_SOURCE or _SVID_SOURCE
(before glibc 2.19), see GETNAMEINFO(3).

CLA: trivial
Fixes #13049

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13054)

6 months agoFix segfault on missing provider_query_operation()
Nicola Tuveri [Fri, 2 Oct 2020 00:58:10 +0000 (03:58 +0300)]
Fix segfault on missing provider_query_operation()

A provider without `provider_query_operation()` is admittedly quite
useless, yet technically the base provider functions are not mandatory
according to our documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13058)

6 months agoTLS AEAD ciphers: more bytes for key_block than needed
Maxim Masiutin [Tue, 29 Sep 2020 15:40:56 +0000 (18:40 +0300)]
TLS AEAD ciphers: more bytes for key_block than needed

Fixes #12007
The key_block length was not written to trace, thus it was not obvious
that extra key_bytes were generated for TLS AEAD.

The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers
to figure out how many bytes from the key_block were needed for the IV.
The correct way was to take cipher mode (GCM, CCM, etc) into
consideration rather than simply callin the general function
EVP_CIPHER_iv_length.

The new function tls_iv_length_within_key_block takes this into
consideration.

Besides that, the order of addendums was counter-intuitive MAC length
was second, but it have to be first to correspond the order given in the RFC.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13035)

6 months agoEVP: use evp_pkey_ctx_is_legacy() to find what implementation to use
Richard Levitte [Wed, 30 Sep 2020 15:22:27 +0000 (17:22 +0200)]
EVP: use evp_pkey_ctx_is_legacy() to find what implementation to use

We've had explicit checks for when to fall back to legacy code for
operations that use an EVP_PKEY.  Unfortunately, the checks were
radically different in different spots, so we refactor that into a
macro that gets used everywhere.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13043)

6 months agoFix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2
Dr. David von Oheimb [Mon, 28 Sep 2020 08:31:46 +0000 (10:31 +0200)]
Fix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2

Was detected via test_req_distinguishing_id() with config having no-ec but not no-sm2

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13021)

6 months agoFix some things the rename script didn't quite get right
Matt Caswell [Thu, 24 Sep 2020 09:56:03 +0000 (10:56 +0100)]
Fix some things the rename script didn't quite get right

The previous commit ran an automated rename throughout the codebase.
There are a small number of things it didn't quite get right so we fix
those in this commit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoRun the withlibctx.pl script
Matt Caswell [Thu, 24 Sep 2020 09:42:23 +0000 (10:42 +0100)]
Run the withlibctx.pl script

Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoPerl util to do with_libctx renaming
Matt Caswell [Tue, 22 Sep 2020 07:16:44 +0000 (08:16 +0100)]
Perl util to do with_libctx renaming

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)

6 months agoder: _ossl prefix der_oid_ and der_aid_ functions
Pauli [Wed, 30 Sep 2020 03:59:20 +0000 (13:59 +1000)]
der: _ossl prefix der_oid_ and der_aid_ functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)

6 months agoder: _ossl prefix DER functions
Pauli [Wed, 30 Sep 2020 02:15:12 +0000 (12:15 +1000)]
der: _ossl prefix DER functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)

6 months agorsa_mp_coeff_names should only have one entry in it for fips mode.
Shane Lontis [Sun, 27 Sep 2020 21:46:29 +0000 (07:46 +1000)]
rsa_mp_coeff_names should only have one entry in it for fips mode.

Reported by Tim Hudson

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13011)

6 months agoprov: prefix all exposed 'cipher' symbols with ossl_
Pauli [Tue, 29 Sep 2020 07:40:26 +0000 (17:40 +1000)]
prov: prefix all exposed 'cipher' symbols with ossl_

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)

6 months agoprov: prefix aes-cbc-cts functions with ossl_
Pauli [Tue, 29 Sep 2020 06:40:58 +0000 (16:40 +1000)]
prov: prefix aes-cbc-cts functions with ossl_

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)

6 months agocheck-format.pl: Allow nested indentation of labels (not only at line pos 1)
Dr. David von Oheimb [Mon, 28 Sep 2020 07:18:01 +0000 (09:18 +0200)]
check-format.pl: Allow nested indentation of labels (not only at line pos 1)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agocheck-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'
Dr. David von Oheimb [Mon, 28 Sep 2020 06:18:32 +0000 (08:18 +0200)]
check-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agocheck-format.pl: Document how to run positive and negative self-tests
Dr. David von Oheimb [Mon, 28 Sep 2020 06:26:31 +0000 (08:26 +0200)]
check-format.pl: Document how to run positive and negative self-tests

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)

6 months agoEC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output
Dr. David von Oheimb [Tue, 29 Sep 2020 08:33:22 +0000 (10:33 +0200)]
EC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months agoPrune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
Dr. David von Oheimb [Mon, 28 Sep 2020 14:14:14 +0000 (16:14 +0200)]
Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.

Also adds error output tests on loading key files with unsupported algorithms to 30-test_evp.t

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months ago25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert
Dr. David von Oheimb [Mon, 28 Sep 2020 17:44:49 +0000 (19:44 +0200)]
25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)

6 months agoConfigure: handle undefined shared_target.
Richard Levitte [Tue, 29 Sep 2020 08:31:56 +0000 (10:31 +0200)]
Configure: handle undefined shared_target.

Some very basic config targets don't defined the 'shared_target'
attribute at all.  This wasn't handled well enough in Configure.
This also cleans away an explicit reference to the ossltest engine in
Configurations/unix-Makefile.tmpl, which isn't necessary since the
build.info attributes were added.

Fixes openssl/web#197

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13031)

6 months agoprov: prefix provider internal functions with ossl_
Pauli [Mon, 28 Sep 2020 02:47:04 +0000 (12:47 +1000)]
prov: prefix provider internal functions with ossl_

Also convert the names to lower case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13014)

6 months agoprov: prefix all OSSL_DISPATCH tables names with ossl_
Pauli [Mon, 28 Sep 2020 02:28:29 +0000 (12:28 +1000)]
prov: prefix all OSSL_DISPATCH tables names with ossl_

This stops them leaking into other namespaces in a static build.
They remain internal.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13013)

6 months ago30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable...
Dr. David von Oheimb [Mon, 28 Sep 2020 08:57:00 +0000 (10:57 +0200)]
30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable respective tests

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)

6 months agoappveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*
Dr. David von Oheimb [Mon, 28 Sep 2020 12:16:30 +0000 (14:16 +0200)]
appveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)

6 months agorand: declare get_hardware_random_value() before use.
Pauli [Sun, 27 Sep 2020 02:47:47 +0000 (12:47 +1000)]
rand: declare get_hardware_random_value() before use.

Introduced by #12923

Fixes #13004

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13005)

6 months agoRemove TODO comment from sskdf.c
Shane Lontis [Sat, 26 Sep 2020 02:41:41 +0000 (12:41 +1000)]
Remove TODO comment from sskdf.c

Fixes #12993

The implementation follows the standards/recommendations specified by https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12999)

6 months agotodo: remove fork protection todo comment, it isn't relevant to the FIPS provider
Pauli [Fri, 25 Sep 2020 22:37:38 +0000 (08:37 +1000)]
todo: remove fork protection todo comment, it isn't relevant to the FIPS provider

Fixes #12984

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12997)

6 months agooptimise ssl3_get_cipher_by_std_name()
hklaas [Sat, 26 Sep 2020 09:54:13 +0000 (10:54 +0100)]
optimise ssl3_get_cipher_by_std_name()

Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13000)