Richard Levitte [Thu, 9 Jul 2020 16:55:44 +0000 (18:55 +0200)]
CORE: Add upcalls for BIO_gets() and BIO_puts()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
Richard Levitte [Wed, 8 Jul 2020 21:19:13 +0000 (23:19 +0200)]
SERIALIZER: Add functions to deserialize into an EVP_PKEY
EVP_PKEY is the fundamental type for provider side code, so we
implement specific support for it, in form of a special context
constructor.
This constructor looks up and collects all available KEYMGMT
implementations, and then uses those names to collect deserializer
implementations, as described in the previous commit.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
Richard Levitte [Wed, 8 Jul 2020 21:04:08 +0000 (23:04 +0200)]
DESERIALIZER: Add foundation for deserializers
This adds a method OSSL_DESERIALIZER, a deserializer context and basic
support to use a set of serializers to get a desired type of data, as
well as deserializer chains.
The idea is that the caller can call OSSL_DESERIALIZER_CTX_add_serializer()
to set up the set of desired results, and to add possible chains, call
OSSL_DESERIALIZER_CTX_add_extra(). All these deserializers are pushed
on an internal stack.
The actual deserialization is then performed using functions like
OSSL_DESERIALIZER_from_bio(). When performing deserialization, the
inernal stack is walked backwards, keeping track of the deserialized
data and its type along the way, until the data kan be processed into
the desired type of data.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
Richard Levitte [Wed, 8 Jul 2020 20:21:18 +0000 (22:21 +0200)]
KEYMGMT: Add key loading function OSSL_FUNC_keymgmt_load()
This function is used to create a keydata for a key that libcrypto
only has a reference to.
This introduces provider references, the contents which only the
provider know how to interpret. Outside of the provider, this is just
an array of bytes.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
Richard Levitte [Wed, 8 Jul 2020 20:09:32 +0000 (22:09 +0200)]
EVP KEYMGMT utils: Make a few more utility functions available
This makes the following functions available for libcrypto code:
evp_keymgmt_util_try_import() - callback function
evp_keymgmt_util_assign_pkey() - assigns keymgmt and keydata to an EVP_PKEY
evp_keymgmt_util_make_pkey() - creates an EVP_PKEY from keymgmt and keydata
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
Shane Lontis [Fri, 24 Jul 2020 12:53:27 +0000 (22:53 +1000)]
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
Shane Lontis [Thu, 23 Jul 2020 07:40:40 +0000 (17:40 +1000)]
Test RSA oaep in fips mode
Added RSA oaep test that uses the pkeyutl application.
Added an openssl application option to support loading a (fips) provider via the '-config' option.
Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only),
that creates a non default library context.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11948)
Dr. Matthias St. Pierre [Mon, 20 Jul 2020 21:21:37 +0000 (23:21 +0200)]
Fix: uninstantiation breaks the RAND_DRBG callback mechanism
The RAND_DRBG callbacks are wrappers around the EVP_RAND callbacks.
During uninstantiation, the EVP_RAND callbacks got lost while the
RAND_DRBG callbacks remained, because RAND_DRBG_uninstantiate()
calls RAND_DRBG_set(), which recreates the EVP_RAND object.
This was causing drbgtest failures.
This commit fixes the problem by adding code to RAND_DRBG_set() for
saving and restoring the EVP_RAND callbacks.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11195)
Dr. Matthias St. Pierre [Mon, 13 Jul 2020 00:02:15 +0000 (02:02 +0200)]
test/drbgtest.c: set the correct counter to trigger reseeding
It's the generate counter (drbg->reseed_gen_counter), not the
reseed counter which needs to be raised above the reseed_interval.
This mix-up was partially caused by some recent renamings of DRBG
members variables, but that will be dealt with in a separate commit.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11195)
Dr. Matthias St. Pierre [Sat, 4 Jul 2020 10:29:14 +0000 (12:29 +0200)]
test/drbgtest.c: Remove error check for large generate requests
The behaviour of RAND_DRBG_generate() has changed. Previously, it
would fail for requests larger than max_request, now it automatically
splits large input into chunks (which was previously done only
by RAND_DRBG_bytes() before calling RAND_DRBG_generate()).
So this test has not only become obsolete, the fact that it succeeded
unexpectedly also caused a buffer overflow that terminated the test.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11195)
Vitezslav Cizek [Mon, 1 Jun 2020 09:45:09 +0000 (11:45 +0200)]
Fix DRBG reseed counter condition.
The reseed counter condition was broken since
a93ba40, where the
initial value was wrongly changed from one to zero.
Commit
8bf3665 fixed the initialization, but also adjusted the check,
so the problem remained.
This change restores original (OpenSSL-fips-2_0-stable) behavior.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11195)
Vitezslav Cizek [Thu, 27 Feb 2020 14:37:43 +0000 (15:37 +0100)]
test/drbgtest.c: Fix error check test
The condition in test_error_checks() was inverted, so it succeeded
as long as error_check() failed. Incidently, error_check() contained
several bugs that assured it always failed, thus giving overall drbg
test success.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11195)
Shane Lontis [Tue, 21 Jul 2020 00:51:33 +0000 (10:51 +1000)]
Cleanup fips provider init
Removed dummy evp_test
Changed all algorithm properties to use fips=yes (except for RAND_TEST) (This changes the DRBG and ECX settings)
Removed unused includes.
Added TODO(3.0) for issue(s) that need to be resolved.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12498)
Pauli [Tue, 21 Jul 2020 07:40:19 +0000 (17:40 +1000)]
document the deprecation of the '-public-key-methods' option to list
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
Pauli [Thu, 13 Feb 2020 01:00:57 +0000 (11:00 +1000)]
EVP: deprecate the EVP_X_meth_ functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
Pauli [Wed, 22 Apr 2020 00:38:10 +0000 (10:38 +1000)]
engines: fixed to work with EVP_*_meth calls deprecated
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
Pauli [Wed, 22 Apr 2020 00:25:23 +0000 (10:25 +1000)]
evp_test: use correct deallocation for EVP_CIPHER
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
Pauli [Wed, 22 Apr 2020 00:24:05 +0000 (10:24 +1000)]
evp_test: use correct deallocation for EVP_MD
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
gujinqiang [Fri, 17 Jul 2020 09:52:26 +0000 (17:52 +0800)]
Specific the engine pointer
CLA: trivial
I found that when I wanted to use an engine by the option-engine XXX , it didn't work. Checking the code, I guess it missed the engine pointer when calling EVP_CipherInit_ex.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12475)
Gustaf Neumann [Fri, 17 Jul 2020 10:31:26 +0000 (12:31 +0200)]
Align documentation with recommendations of Linux Documentation Project
This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. Additionally, util/find-doc-nits
was updated accordingly.
The change follows a suggestion of mspncp on https://github.com/openssl/openssl/pull/12370
and incoporates the requested changes on the pull request
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12460)
Dr. David von Oheimb [Sat, 18 Jul 2020 14:09:19 +0000 (16:09 +0200)]
Fix UI method setup, which should be independent of (deprecated) engine use
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12422)
Dr. David von Oheimb [Tue, 14 Jul 2020 08:38:06 +0000 (10:38 +0200)]
81-test_cmp_cli.t: Avoid using 'tail', 'awk', and the '-s' option of 'lsof'
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12422)
Dr. David von Oheimb [Sat, 11 Jul 2020 11:20:39 +0000 (13:20 +0200)]
Skip test_cmp_cli if 'lsof' or 'kill' command is not available
Fixes #12324
partly fixes #12378
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12422)
Shane Lontis [Wed, 22 Jul 2020 00:40:55 +0000 (10:40 +1000)]
Fix provider cipher reinit issue
Fixes #12405
Fixes #12377
Calling Init()/Update() and then Init()/Update() again gave a different result when using the same key and iv.
Cipher modes that were using ctx->num were not resetting this value, this includes OFB, CFB & CTR.
The fix is to reset this value during the ciphers einit() and dinit() methods.
Most ciphers go thru a generic method so one line fixes most cases.
Add test for calling EVP_EncryptInit()/EVP_EncryptUpdate() multiple times for all ciphers.
Ciphers should return the same value for both updates.
DES3-WRAP does not since it uses a random in the update.
CCM modes currently also fail on the second update (This also happens in 1_1_1).
Fix memory leak in AES_OCB cipher if EVP_EncryptInit is called multiple times.
Fix AES_SIV cipher dup_ctx and init.
Calling EVP_CIPHER_init multiple times resulted in a memory leak in the siv.
Fixing this leak also showed that the dup ctx was not working for siv mode.
Note: aes_siv_cleanup() can not be used by aes_siv_dupctx() as it clears data
that is required for the decrypt (e.g the tag).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12413)
Viktor Dukhovni [Fri, 17 Jul 2020 01:30:43 +0000 (23:30 -0200)]
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
Richard Levitte [Mon, 20 Jul 2020 15:14:45 +0000 (17:14 +0200)]
DOC: Fix SSL_CTX_set_cert_cb.pod and SSL_CTX_set_client_cert_cb.pod
The 'cert_cb' / 'client_cert_cb' arguments had extra, a bit weird
documentation.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12494)
Richard Levitte [Mon, 20 Jul 2020 15:10:44 +0000 (17:10 +0200)]
util/find-doc-nits: Relax check of function declarations in name_synopsis()
The relaxation allows spaces between function name and argument list,
to allow line breaks like this when there are very long names:
int (fantastically_long_name_breaks_80char_limit)
(fantastically_long_name_breaks_80char_limit *something);
This revealed some other intricaties, such as documented internal
structures with function pointers inside, so a check of open
structures was also added, and they are now simply skipped over.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12494)
Richard Levitte [Mon, 20 Jul 2020 07:11:15 +0000 (09:11 +0200)]
PROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a
libcommon.a is FIPS agnostic, while libfips.a and libnonfips.a are
FIPS / non-FIPS specific. Since bio_prov.c checks FIPS_MODULE, it
belongs to the latter.
Along with this, a bit more instruction commentary is added to
providers/build.info.
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12486)
Nihal Jere [Sun, 19 Jul 2020 21:54:07 +0000 (16:54 -0500)]
fixed swapped parameter descriptions for x509
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12482)
Shane Lontis [Tue, 21 Jul 2020 06:30:02 +0000 (16:30 +1000)]
Add ERR_raise() errors to fips OSSL_provider_init and self tests.
As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12346)
Shane Lontis [Mon, 20 Jul 2020 01:18:24 +0000 (11:18 +1000)]
Fix API rename issue in shim layer that calls EVP_MAC_CTX_set_params
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12483)
Dimitri John Ledkov [Tue, 14 Jul 2020 16:55:49 +0000 (17:55 +0100)]
man3: Drop warning about using security levels higher than 1.
Today, majority of web-browsers reject communication as allowed by the
security level 1. Instead key sizes and algorithms from security level
2 are required. Thus remove the now obsolete warning against using
security levels higher than 1. For example Ubuntu, compiles OpenSSL
with security level set to 2, and further restricts algorithm versions
available at that security level.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12444)
Dr. David von Oheimb [Thu, 25 Jun 2020 09:55:56 +0000 (11:55 +0200)]
check-format.pl: Add an entry about it to NEWS.md and to CHANGES.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
Dr. David von Oheimb [Sun, 7 Jun 2020 12:53:20 +0000 (14:53 +0200)]
check-format.pl: Report empty lines only if -s (--sloppy-spc) is not used
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
Dr. David von Oheimb [Sun, 7 Jun 2020 12:47:16 +0000 (14:47 +0200)]
check-format.pl: Add check for essentially empty line at beginning of file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
Dr. David von Oheimb [Sat, 6 Jun 2020 19:14:29 +0000 (21:14 +0200)]
check-format.pl: Add check for multiples essentially empty lines in a row
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
Dr. David von Oheimb [Tue, 7 Apr 2020 12:27:08 +0000 (14:27 +0200)]
check-format.pl: Allow comment start '/*' after opening '(','[','{'
On this occasion fix uses of the word 'nor'.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
Jean-Christophe Fillion-Robin [Tue, 23 Jun 2020 06:37:22 +0000 (02:37 -0400)]
Fix linking against non-system zlib on macOS
This commit ensures the -L/path/to/zlib flag associated with ldflags
property set in "Configurations/00-base-templates.conf" (under "BASE_unix")
is inherited when defining "darwin-common" configuration.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12238)
Shane Lontis [Wed, 15 Jul 2020 08:26:35 +0000 (18:26 +1000)]
Added missing ';' after methods in the synopsis section of pod files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12452)
Richard Levitte [Wed, 15 Jul 2020 06:42:18 +0000 (08:42 +0200)]
util/find-doc-nits: relax some SYNOPSIS checks
- The check that disallowed space before the argument list in a
function typedef is tentatively removed, allowing this kind of
construction:
typedef int (fantastically_long_name_breaks_80char_limit)
(fantastically_long_name_breaks_80char_limit *something);
- Accept the following style of function signature:
typedef TYPE (NAME)(args...)
- Accept space between '#' and 'defined' / 'undef'
- Accept other spaces than SPC in argument list comma check,
allowing declaration with line breaks.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
Richard Levitte [Wed, 15 Jul 2020 06:33:08 +0000 (08:33 +0200)]
util/find-doc-nits: read full declarations as one line in name_synopsis()
name_synopsis was reading physical SYNOPSIS lines. This changes it to
consider a declaration at a time, so we treat a C declaration that's
been broken up in several lines as one.
This makes it mandatory to end all C declarations in the SYNOPSIS with
a semicolon. Those can be detected in two ways:
1. Parsing an individual .pod file outputs this error:
doc/man3/SOMETHING.pod:1: Can't parse rest of synopsis:
int SOMETHING_status(SOMETHING *s)
int SOMETHING_start(SOMETHING *s)
(declarations not ending with a semicolon (;)?)
2. Errors like this:
doc/man3/SOMETHING.pod:1: SOMETHING_status missing from SYNOPSIS
doc/man3/SOMETHING.pod:1: SOMETHING_start missing from SYNOPSIS
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
Richard Levitte [Thu, 16 Jul 2020 17:21:22 +0000 (19:21 +0200)]
Fix typo for SSL_get_peer_certificate()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12468)
Richard Levitte [Thu, 16 Jul 2020 14:17:49 +0000 (16:17 +0200)]
Remove util/openssl-update-copyright
It was useful at the time for a one-time run. However, since it does
its work based on file modification time stamps, and those are
notoriously untrustable in a git checkout, it ends up being harmful.
There is a replacement in OpenSSL's tools repository, which relies on
git history.
Fixes #12462
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12466)
Pauli [Thu, 16 Jul 2020 01:15:42 +0000 (11:15 +1000)]
mac: always pass a non-NULL output size pointer to providers.
The backend code varies for the different MACs and sometimes sets the output
length, sometimes checks the return pointer and sometimes neither.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12458)
Pauli [Mon, 13 Jul 2020 22:39:32 +0000 (08:39 +1000)]
doc: Fix documentation of EVP_EncryptUpdate().
The documentation was off by one for the length this function could return.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12435)
Pauli [Wed, 1 Jul 2020 01:09:38 +0000 (11:09 +1000)]
install: add notes about ignored seed sources in the FIPS provider.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
Pauli [Tue, 30 Jun 2020 03:15:05 +0000 (13:15 +1000)]
rand: detect if FIPS approved randomness sources are being used.
This boils down to the operating system sources and RDRAND.
All other sources are not available in the FIPS module.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
Shane Lontis [Wed, 15 Jul 2020 01:49:57 +0000 (11:49 +1000)]
Fix trailing whitespace mismatch error when running 02-test_errstr.
Fixes #12449
On a aix7_ppc32 machine the error was of the form
match 'Previous owner died ' (
2147483743) with one of ( 'Previous owner died', 'reason(95)' )
Stripping the trailing whitespace from the system error will address this issue.
Suggested fix by @pauldale.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12451)
Dr. David von Oheimb [Fri, 3 Jul 2020 12:19:43 +0000 (14:19 +0200)]
99-test_fuzz.t: Clean up and re-organize such that sub-tests could be split easily
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12359)
Dr. David von Oheimb [Thu, 2 Jul 2020 15:59:55 +0000 (17:59 +0200)]
test/run_tests.pl: In parallel runs, start those tests first that run longest
Also untabify the Perl source file.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12359)
Dr. David von Oheimb [Fri, 3 Jul 2020 19:19:55 +0000 (21:19 +0200)]
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
Dr. David von Oheimb [Mon, 13 Jul 2020 15:13:48 +0000 (17:13 +0200)]
Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
Richard Levitte [Thu, 16 Jul 2020 13:23:08 +0000 (15:23 +0200)]
Prepare for 3.0 alpha 6
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Richard Levitte [Thu, 16 Jul 2020 13:22:29 +0000 (15:22 +0200)]
Prepare for release of 3.0 alpha 5
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Richard Levitte [Thu, 16 Jul 2020 13:08:30 +0000 (15:08 +0200)]
util/mktar.pl: Change 'VERSION' to 'VERSION.dat'
This was forgotten when that file changed name, and that unfortunately
disrupts releases.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12464)
Richard Levitte [Thu, 16 Jul 2020 12:47:04 +0000 (14:47 +0200)]
Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12463)
Richard Levitte [Thu, 16 Jul 2020 04:49:45 +0000 (06:49 +0200)]
DRBG: Fix the renamed functions after the EVP_MAC name reversal
[extended tests]
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12186)
Matt Caswell [Thu, 18 Jun 2020 08:30:48 +0000 (09:30 +0100)]
Revert "kdf: make function naming consistent."
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit
765d04c9460a304c8119f57941341a149498b9db.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
Matt Caswell [Thu, 18 Jun 2020 08:26:22 +0000 (09:26 +0100)]
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit
d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
Richard Levitte [Thu, 16 Jul 2020 07:34:00 +0000 (09:34 +0200)]
Add latest changes and news in CHANGES.md and NEWS.md
- Reworked test perl framwork for parallel tests
- Reworked ERR codes to make better space for system errors
- Deprecation of the ENGINE API
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12461)
Pauli [Tue, 14 Jul 2020 23:16:30 +0000 (09:16 +1000)]
capabilities: make capability selection case insensitive.
Everything else to do with algorithm selection and properties is case
insensitive.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12450)
Pauli [Tue, 14 Jul 2020 12:04:29 +0000 (22:04 +1000)]
libcrypto.num: engine deprecation updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 11:33:14 +0000 (21:33 +1000)]
doc: remove unused engine tracing option
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 11:32:52 +0000 (21:32 +1000)]
trace: condition out engine related tracing
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:29:56 +0000 (10:29 +1000)]
Document that ENGINE_add_conf_module() was deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:29:24 +0000 (10:29 +1000)]
Document that exdata for ENGINES is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:28:49 +0000 (10:28 +1000)]
Document that the ENGINE_[sg]_ex_data() calls are reprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:27:39 +0000 (10:27 +1000)]
RAND: document that the ENGINE RAND override is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:27:07 +0000 (10:27 +1000)]
ENGINESDIR: document that this configuration is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Tue, 14 Jul 2020 00:25:38 +0000 (10:25 +1000)]
doc: document that the engine initialisation options are deprecated.
They can't be removed yet for API compatibility reasons.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:40:47 +0000 (09:40 +1000)]
deprecate engines in provider code
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:40:29 +0000 (09:40 +1000)]
deprecate engines in libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:40:04 +0000 (09:40 +1000)]
apps: deprecate engines
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:39:47 +0000 (09:39 +1000)]
deprecate engine from public header files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:39:20 +0000 (09:39 +1000)]
deprecate engine tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:38:42 +0000 (09:38 +1000)]
deprecate engines in SSL
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 23:38:22 +0000 (09:38 +1000)]
deprecate engines
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Mon, 13 Jul 2020 00:51:03 +0000 (10:51 +1000)]
Fix indentation for engine.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Thu, 25 Jun 2020 01:30:13 +0000 (11:30 +1000)]
doc: deprecate ENGINE documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Thu, 25 Jun 2020 01:27:51 +0000 (11:27 +1000)]
apps: document the deprecation of the -engine option
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Thu, 25 Jun 2020 01:20:49 +0000 (11:20 +1000)]
engine: document the engine app as deprecated
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Thu, 25 Jun 2020 00:40:20 +0000 (10:40 +1000)]
apps/list: deprecate engine support
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Pauli [Thu, 25 Jun 2020 00:36:29 +0000 (10:36 +1000)]
deprecate engines in 3.0
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
Todd Short [Thu, 11 Apr 2019 14:47:13 +0000 (10:47 -0400)]
Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
Daniel Bevenius [Thu, 9 Jul 2020 05:28:19 +0000 (07:28 +0200)]
Configure: fix minor typo in apitable comment
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12398)
Shane Lontis [Wed, 1 Jul 2020 04:37:32 +0000 (14:37 +1000)]
Add FIPS related configuration data to the default openssl application configuration file
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12333)
Rich Salz [Mon, 29 Jun 2020 01:11:48 +0000 (21:11 -0400)]
Make -provider_name and -section_name optional
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)
Rich Salz [Tue, 23 Jun 2020 00:49:51 +0000 (20:49 -0400)]
Use defaults FIPSKEY if not given on command line
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)
Shane Lontis [Mon, 8 Jun 2020 04:33:27 +0000 (14:33 +1000)]
Add AES_CBC_CTS ciphers to providers
Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS.
CS1, CS2 and CS3 variants are supported.
Only single shot updates are supported.
The cipher returns the mode EVP_CIPH_CBC_MODE (Internally it shares the aes_cbc cipher code). This
would allow existing code that uses AES_CBC to switch to the CTS variant without breaking code that
tests for this mode. Because it shares the aes_cbc code the cts128.c functions could not be used directly.
The cipher returns the flag EVP_CIPH_FLAG_CTS.
EVP_CIPH_FLAG_FIPS & EVP_CIPH_FLAG_NON_FIPS_ALLOW have been deprecated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12094)
aSoujyuTanaka [Sat, 11 Apr 2020 19:10:57 +0000 (04:10 +0900)]
Enable WinCE build without deceiving _MSC_VER.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
aSoujyuTanaka [Sat, 11 Apr 2020 19:00:17 +0000 (04:00 +0900)]
To generate makefile with correct parameters for WinCE.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
aSoujyuTanaka [Sat, 11 Apr 2020 18:58:44 +0000 (03:58 +0900)]
Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to
its miscompilation of the function.
https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
aSoujyuTanaka [Sat, 11 Apr 2020 18:58:02 +0000 (03:58 +0900)]
Changed uintptr_t to size_t. WinCE6 doesn't seem it have the definition.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
Pauli [Sat, 4 Jul 2020 00:48:19 +0000 (10:48 +1000)]
DRBG: rename the DRBG taxonomy.
The existing wording didn't capture the reality of the default setup, this new
nomenclature attempts to improve the situation.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12366)
Daniel Bevenius [Thu, 9 Jul 2020 05:26:38 +0000 (07:26 +0200)]
Configurations: make Makefile tmpl files non-links
This commit updates Configurations/README.md and turns the Makefile
templates into non-links.
The motivation for this is that not all template exist in the directory
leading to 404 Not found errors when accessed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12401)
Billy Brumley [Tue, 9 Jun 2020 10:16:15 +0000 (13:16 +0300)]
[test] ectest: check custom generators
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12096)
Benjamin Kaduk [Thu, 2 Jul 2020 19:14:52 +0000 (12:14 -0700)]
Providerized libssl fallout: cleanup init
Since libssl is entirely using fetched cipher/digest implementations
from providers, we don't need to register the libcrypto cipher/digest
implementations in ossl_init_ssl_base().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12418)
Richard Levitte [Thu, 9 Jul 2020 06:40:50 +0000 (08:40 +0200)]
BN: Check endianness in run-time, in BN_native2bn() and BN_bn2nativepad()
The code relied on B_ENDIAN being defined on all big-endian platform,
which turned out to not always be the case.
Fixes #12387
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12390)
Richard Levitte [Thu, 9 Jul 2020 06:37:46 +0000 (08:37 +0200)]
Add and use internal header that implements endianness check
This moves test/ossl_test_endian.h to include/internal/endian.h and
thereby makes the macros in there our standard way to check endianness
in run-time.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12390)
Richard Levitte [Mon, 6 Jul 2020 08:35:18 +0000 (10:35 +0200)]
DOC: install documentation without execution permissions.
Fixes #12350
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12373)