Matt Caswell [Thu, 7 Jan 2021 13:38:50 +0000 (13:38 +0000)]
Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13800)
Matt Caswell [Mon, 4 Jan 2021 17:29:35 +0000 (17:29 +0000)]
Only perform special TLS handling if TLS has been configured
Skip over special TLS steps for stream ciphers if we haven't been
configured for TLS.
Fixes #12528
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13774)
David CARLIER [Mon, 4 Jan 2021 16:42:47 +0000 (16:42 +0000)]
Mac M1 setting change proposal.
Running tests takes very long with the current setting while it takes a
lot shorter time with this change.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13771)
John Baldwin [Sat, 21 Nov 2020 01:45:48 +0000 (17:45 -0800)]
Support session information on FreeBSD.
FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it
does provide other ioctls that can be used to provide similar
functionality.
First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts
a 'struct session2_op'. This structure extends 'struct session_op'
with a 'crid' member which can be used to either request an individual
driver by id, or a class of drivers via flags.
To determine if the available drivers for a given algorithm are
accelerated or not, use CIOCGESSION2 to first attempt to create an
accelerated (hardware) session. If that fails, fall back to
attempting a software session. In addition, when requesting a new
cipher session, use the current setting of the 'use_softdrivers' flag
to determine the value assigned to 'crid' when invoking CIOCGSESSION2.
Finally, use the returned 'crid' value from CIOCGSESSION2 to look up
the name of the associated driver via the CIOCFINDDEV ioctl.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13468)
John Baldwin [Sat, 21 Nov 2020 01:07:35 +0000 (17:07 -0800)]
Use CRIOGET to fetch a crypto descriptor when present.
FreeBSD's current /dev/crypto implementation requires that consumers
clone a separate file descriptor via the CRIOGET ioctl that can then
be used with other ioctls such as CIOCGSESSION.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13468)
bazmoz [Sun, 27 Dec 2020 16:35:14 +0000 (22:05 +0530)]
Updated SSL_CTX_new doc
Fixes #13703
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13741)
Etienne Millon [Mon, 4 Jan 2021 10:33:55 +0000 (11:33 +0100)]
28-seclevel.cnf.in: fix typo in algo name
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13768)
Etienne Millon [Mon, 4 Jan 2021 10:28:36 +0000 (11:28 +0100)]
EVP_SIGNATURE-
ED25519.pod: fix typo in algo name
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13768)
Nirbheek Chauhan [Wed, 8 Jul 2020 17:53:04 +0000 (23:23 +0530)]
win-onecore: Build with /APPCONTAINER for UWP compat
When targeting the win-onecore configuration, we must link with
/APPCONTAINER which is a requirement for submitting apps to the
Windows Store.
Without this, the Windows App Certificate Kit will reject the app:
https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12400)
Nirbheek Chauhan [Wed, 8 Jul 2020 17:40:34 +0000 (23:10 +0530)]
crypto/win: Don't use disallowed APIs on UWP
CreateFiber and ConvertThreadToFiber are not allowed in Windows Store
(Universal Windows Platform) apps since they have been replaced by
their Ex variants which have a new dwFlags parameter.
This flag allows the fiber to do floating-point arithmetic in the
fiber on x86, which would silently cause corruption otherwise since
the floating-point state is not switched by default.
Switch to these "new" APIs which were added in Vista.
See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12400)
Dr. David von Oheimb [Fri, 1 Jan 2021 19:43:46 +0000 (20:43 +0100)]
Update copyright years of auto-generated headers (make update)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13764)
Matt Caswell [Wed, 23 Dec 2020 11:35:54 +0000 (11:35 +0000)]
Add a test for the new CRYPTO_atomic_* functions
Also tests the older CRYPTO_atomic_add() which was without a test
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13733)
Matt Caswell [Wed, 23 Dec 2020 11:15:03 +0000 (11:15 +0000)]
Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13733)
Matt Caswell [Tue, 22 Dec 2020 17:44:07 +0000 (17:44 +0000)]
Optimise OPENSSL_init_crypto
If everything has already been initialised we can check this with a
single test at the beginning of OPENSSL_init_crypto() and therefore
reduce the amount of time spent in this function. Since this is called
via very many codepaths this should have significant performance benefits.
Partially fixes #13725 and #13578
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13733)
Matt Caswell [Tue, 22 Dec 2020 17:43:07 +0000 (17:43 +0000)]
Add some more CRYPTO_atomic functions
We add an implementation for CRYPTO_atomic_or() and CRYPTO_atomic_load()
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13733)
Matt Caswell [Wed, 23 Dec 2020 16:30:36 +0000 (16:30 +0000)]
Don't call EVP_CIPHER_CTX_block_size() to find the block size
The EVP lib was calling EVP_CIPHER_CTX_block_size(), which in turn calls
EVP_CIPHER_block_size() in order to find the block_size in every
EVP_EncryptUpdate() call. This adds a surprising amount of overhead when
using speed to test aes-128-cbc. Since we're in the EVP lib itself, we can
just directly access this value.
To test performance I ran the command:
openssl speed -evp aes-128-cbc -bytes 16 -seconds 30
For the before and after, I ran this twice and discarded the first result
to "warm up" my machine.
Before:
aes-128-cbc 716949.71k
After:
aes-128-cbc 742807.11k
This represents a performance improvement of about 4%
Partially fixes #13407
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13734)
Matt Caswell [Tue, 22 Dec 2020 15:16:51 +0000 (15:16 +0000)]
Optimise OPENSSL_init_crypto to not need a lock when loading config
Most of the time we don't have any explicit settings when loading a
config file. Therefore we optimise things so that we don't need to use
a lock in that instance.
Partially addresses performance issues in #13725
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13731)
Matt Caswell [Tue, 22 Dec 2020 11:36:30 +0000 (11:36 +0000)]
Cache Digest constants
EVP_CIPHER already caches certain constants so that we don't have to
query the provider every time. We do the same thing with EVP_MD constants.
Without this we can get performance issues, e.g. running "speed" with
small blocks of data to digest can spend a long time in EVP_MD_size(),
which should be quick.
Partialy fixes #13578
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13730)
Matt Caswell [Tue, 22 Dec 2020 11:54:16 +0000 (11:54 +0000)]
Move the caching of cipher constants into evp_cipher_from_dispatch
Previously we cached the cipher constants in EVP_CIPHER_fetch(). However,
this means we do the caching every time we call that function, even if
the core has previusly fetched the cipher and cached it already. This
means we can end up re-caching the constants even though they are already
present. This also means we could be updating these constants from
multiple threads at the same time.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13730)
Dmitry Belyavskiy [Tue, 22 Dec 2020 08:40:46 +0000 (09:40 +0100)]
Fix doc-nits for list command
Bug was introduced in #13669
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13728)
Dmitry Belyavskiy [Mon, 21 Dec 2020 13:23:17 +0000 (14:23 +0100)]
Fetch provided algorithm once per benchmark
Partially fixes #13578
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13721)
Ingo Schwarze [Thu, 4 Jun 2020 22:30:00 +0000 (00:30 +0200)]
Fix NULL pointer access caused by X509_ATTRIBUTE_create()
When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on. This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.
This bug was found while working on LibreSSL documentation.
Reviewed-by: Theo Buehler <tb@openbsd.org>
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12052)
jwalch [Tue, 15 Dec 2020 20:00:11 +0000 (15:00 -0500)]
Restore v2i_AUTHORITY_INFO_ACCESS() behavior
Fixes #13636
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13683)
Richard Levitte [Thu, 17 Dec 2020 20:37:15 +0000 (21:37 +0100)]
Drop OPENSSL_NO_RSA everywhere
The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so
this is simply a cleanup of the remains.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13700)
Richard Levitte [Fri, 18 Dec 2020 14:39:50 +0000 (15:39 +0100)]
GitHub CI: Separate no-deprecated job from minimal job
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13706)
Richard Levitte [Fri, 18 Dec 2020 12:17:33 +0000 (13:17 +0100)]
Fix 'no-deprecated'
Some of the handling of no-deprecated stuff wasn't quite complete, or
even plain wrong.
This restores i2d_PublicKey() to be able to handle EVP_PKEYs with
legacy internal keys.
This also refactors the DSA key tests in test/evp_extra_test.c to use
EVP functionality entirely.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13706)
Petr Gotthard [Thu, 17 Dec 2020 19:13:00 +0000 (20:13 +0100)]
Fix OSSL_PARAM creation in OSSL_STORE_open_ex
The params[0].data is set to a non-NULL value, but params[0].data_size
is always zero. This confuses get_string_internal, which creates 1 byte
string with uninitialized content.
When OSSL_PARAM_construct_utf8_string is used, the data_size is set
correctly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13699)
Richard Levitte [Fri, 18 Dec 2020 07:59:02 +0000 (08:59 +0100)]
TEST: Fix test/endecode_test.c for 'no-legacy'
This adds an additional check that the legacy provider is available
when wanting to add tests for protected PVK, since that depends on the
availability of RC4.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13705)
Richard Levitte [Thu, 17 Dec 2020 21:01:46 +0000 (22:01 +0100)]
make update
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13701)
Richard Levitte [Thu, 17 Dec 2020 20:55:07 +0000 (21:55 +0100)]
GitHub CI: Add 'check-update' and 'check-docs'
'check-update' runs a 'make update' to check that it wasn't forgotten.
'check-docs' runs 'make doc-nits'. We have that as a separate job to
make it more prominent.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13701)
Pauli [Wed, 21 Oct 2020 22:18:38 +0000 (08:18 +1000)]
dsa: add additional deprecated functions to CHANGES entry.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
Pauli [Tue, 20 Oct 2020 03:32:57 +0000 (13:32 +1000)]
dsa: provider and library deprecation changes
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
Pauli [Tue, 20 Oct 2020 03:32:26 +0000 (13:32 +1000)]
dsa: apps deprecation changes
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
Pauli [Tue, 20 Oct 2020 03:32:08 +0000 (13:32 +1000)]
dsa: fuzzer deprecation changes
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
Pauli [Tue, 20 Oct 2020 03:31:43 +0000 (13:31 +1000)]
dsa: documentation deprecation changes
Fixes #13121
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
Dr. David von Oheimb [Thu, 12 Nov 2020 20:27:37 +0000 (21:27 +0100)]
apps/cmp.c: Correct -keyform option range w.r.t engine
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13690)
Dr. David von Oheimb [Wed, 16 Dec 2020 12:35:27 +0000 (13:35 +0100)]
apps/cmp.c: Fix bug on -path option introduced in commit
3c9d6266ed85
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13690)
Richard Levitte [Wed, 16 Dec 2020 16:01:06 +0000 (17:01 +0100)]
EVP: Fix memory leak in EVP_PKEY_CTX_dup()
In most error cases, EVP_PKEY_CTX_dup() would only free the EVP_PKEY_CTX
without freeing the duplicated contents.
Fixes #13503
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
Richard Levitte [Wed, 16 Dec 2020 14:15:06 +0000 (15:15 +0100)]
CORE: Separate OSSL_PROVIDER activation from OSSL_PROVIDER reference
This introduces a separate activation counter, and the function
ossl_provider_deactivate() for provider deactivation.
Something to be noted is that if the reference count goes down to
zero, we don't care if the activation count is non-zero (i.e. someone
forgot to call ossl_provider_deactivate()). Since there are no more
references to the provider, it doesn't matter.
The important thing is that deactivation doesn't remove the provider
as long as there are references to it, for example because there are
live methods associated with that provider, but still makes the
provider unavailable to create new methods from.
Fixes #13503
Fixes #12157
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
Richard Levitte [Fri, 11 Dec 2020 10:01:09 +0000 (11:01 +0100)]
DECODER: Adjust the library context of keys in our decoders
Because decoders are coupled with keymgmts from the same provider,
ours need to produce provider side keys the same way. Since our
keymgmts create key data with the provider library context, so must
our decoders.
We solve with functions to adjust the library context of decoded keys,
and use them.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
Richard Levitte [Thu, 10 Dec 2020 13:00:05 +0000 (14:00 +0100)]
MSBLOB & PVK: Make it possible to write EVP_PKEYs with provided internal key
So far, the MSBLOB and PVK writers could only handle EVP_PKEYs with
legacy internal keys.
Specially to be able to compile the loader_attic engine, we use the C
macro OPENSSL_NO_PROVIDER_CODE to avoid building the provider specific
things when we don't need them. The alternative is to suck half of
crypto/evp/ into loader_attic, and that's just not feasible.
Fixes #13503
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
Richard Levitte [Thu, 10 Dec 2020 17:33:16 +0000 (18:33 +0100)]
DECODER EVP_PKEY: Don't store all the EVP_KEYMGMTs
OSSL_DECODER_CTX_new_by_EVP_PKEY() would keep copies of all the
EVP_KEYMGMTs it finds.
This turns out to be fragile in certain circumstances, so we switch to
fetch the appropriate EVP_KEYMGMT when it's time to construct an
EVP_PKEY from the decoded data instead. This has the added benefit
that we now actually use the property query string that was given by
the caller for these fetches.
Fixes #13503
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13661)
Tomas Mraz [Wed, 16 Dec 2020 08:39:31 +0000 (09:39 +0100)]
Github CI: run also on repository pushes
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13686)
Richard Levitte [Wed, 2 Dec 2020 17:30:55 +0000 (18:30 +0100)]
Add necessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC
When OpenSSL is configured with 'no-dh', 'no-dsa' and 'no-ec'
combined, some static functions have no use, which the compiler may
complain about. We therefore add extra guards to silence it.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13589)
Richard Levitte [Wed, 2 Dec 2020 17:27:03 +0000 (18:27 +0100)]
Drop unnecessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC
The apps, the CMS library and the X.509 library are primarly affected.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13589)
Richard Levitte [Tue, 1 Dec 2020 18:21:04 +0000 (19:21 +0100)]
EVP_PKEY & EC_KEY: Make EC EVP_PKEY_CTX parameter ctrls / setters more available
EVP_PKEY_CTX_set_ec_ functions were only available when EC was enabled
('no-ec' not configured). However, that makes it impossible to use
these functions with an engine or a provider that happens to implement
EC_KEY. This change solves that problem by shuffling these functions
to more appropriate places.
Partially fixes #13550
squash! EVP_PKEY & EC_KEY: Make EC EVP_PKEY_CTX parameter ctrls / setters more available
By consequence, there are a number of places where we can remove the
check of OPENSSL_NO_EC. This requires some re-arrangements of
internal tables to translate between numeric identities and names.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13589)
Richard Levitte [Tue, 1 Dec 2020 18:11:59 +0000 (19:11 +0100)]
EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available
EVP_PKEY_CTX_set_dh_ functions were only available when DH was enabled
('no-dsa' not configured). However, that makes it impossible to use
these functions with an engine or a provider that happens to implement
DH. This change solves that problem by shuffling these functions to
more appropriate places.
By consequence, there are a number of places where we can remove the
check of OPENSSL_NO_DH. This requires some re-arrangements of
internal tables to translate between numeric identities and names.
Partially fixes #13550
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13589)
Richard Levitte [Tue, 1 Dec 2020 18:09:39 +0000 (19:09 +0100)]
EVP_PKEY & DSA: move dsa_ctrl.c to be included only on libcrypto
These functions aren't used by the FIPS module, so there's no reason
to include it there.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13589)
Richard Levitte [Wed, 9 Dec 2020 10:54:56 +0000 (11:54 +0100)]
PROV: Add MSBLOB and PVK encoders
This allows 15-test_rsa.t to succeed, and provides the same OSSL_ENCODER
support for these formats as for all other formats supported in OpenSSL.
Fixes #13379
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13645)
Richard Levitte [Wed, 9 Dec 2020 10:30:10 +0000 (11:30 +0100)]
TEST: Fix test/recipes/15-test_rsa.t
Perl strings should be compared with 'eq', not '=='.
This only generates a perl warning, so wasn't immediately noticed.
Also, remove the check of disabled 'dsa'. That never made reak sense.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13645)
Richard Levitte [Wed, 9 Dec 2020 10:28:35 +0000 (11:28 +0100)]
APPS: Correct the output structure for public keys in 'openssl rsa'
'openssl rsa' would output a PKCS#1 structure when asked for a
SubjectPublicKeyInfo and vice versa.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13645)
Rich Salz [Sat, 28 Nov 2020 21:12:58 +0000 (16:12 -0500)]
Check non-option arguments
Make sure all commands check to see if there are any "extra" arguments
after the options, and print an error if so.
Made all error messages consistent (which is to say, minimal).
Fixes: #13527
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13563)
Pauli [Sat, 12 Dec 2020 11:38:17 +0000 (21:38 +1000)]
test: document the random test ordering env variable
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13672)
Pauli [Sat, 12 Dec 2020 11:25:40 +0000 (21:25 +1000)]
test: print OPENSSL_TEST_RAND_ORDER=x when a randomised test fails.
The previous message "random seed x" is a lot less descriptive.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13672)
Rich Salz [Fri, 11 Dec 2020 19:18:46 +0000 (14:18 -0500)]
Document OCSP_REQ_CTX_i2d.
Based on comments from David von Oheimb.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13620)
Rich Salz [Sat, 5 Dec 2020 15:42:18 +0000 (10:42 -0500)]
Deprecate OCSP_REQ_CTX_set1_req
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13620)
Dmitry Belyavskiy [Sat, 12 Dec 2020 05:23:20 +0000 (06:23 +0100)]
Skip tests depending on deprecated list -*-commands options
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Dmitry Belyavskiy [Fri, 11 Dec 2020 05:15:04 +0000 (06:15 +0100)]
Documenting the options deprecating in CHANGES.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Dmitry Belyavskiy [Fri, 11 Dec 2020 05:13:41 +0000 (06:13 +0100)]
Documenting the options deprecating
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Dmitry Belyavskiy [Fri, 11 Dec 2020 02:15:09 +0000 (03:15 +0100)]
Skip unavailable digests and ciphers in -*-commands
Fixes #13594
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Dmitry Belyavskiy [Fri, 11 Dec 2020 00:31:30 +0000 (01:31 +0100)]
Deprecate -cipher-commands and -digest-commands options
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Dmitry Belyavskiy [Fri, 11 Dec 2020 00:23:02 +0000 (01:23 +0100)]
OPENSSL_NO_GOST has nothing to do with low-level algos
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
Sebastian Andrzej Siewior [Sun, 5 Jul 2020 18:52:39 +0000 (20:52 +0200)]
Configurations: PowerPC is big endian
Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.
Fixes: #12199
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12371)
Shane Lontis [Wed, 9 Dec 2020 02:32:47 +0000 (12:32 +1000)]
Change AES-CTS modes CS2 and CS3 to also be inside the fips module.
The initial thought was that only CS1 mode (the NIST variant) was allowed.
The lab has asked if these other modes should be included.
The algorithm form indicates that these are able to be validated.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13639)
Shane Lontis [Wed, 25 Nov 2020 05:21:52 +0000 (15:21 +1000)]
Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation.
Fixes #12438
Note: This worked in 1.1.1 so just returning an error is not valid.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13505)
Matt Caswell [Wed, 9 Dec 2020 16:26:29 +0000 (16:26 +0000)]
Fix no-threads
Make OPENSSL_fork_prepare() et al always available even in a no-threads
build. These functions are no-ops anyway so this shouldn't make any
difference.
This fixes an issue where the symbol_presence test fails in a no-threads
build. This is because these functions have not been marked in
libcrypto.num as being dependent on thread support. Enclosing the
declarations of the functions in the header with an appropriate guard
does not help because we never define OPENSSL_NO_THREADS (we define the
opposite OPENSSL_THREADS). This confuses the scripts which only consider
OPENSSL_NO_* guards. The simplest solution is to just make them always
available.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13647)
Ankita Shetty [Wed, 9 Dec 2020 20:56:51 +0000 (21:56 +0100)]
openssl.pod: Fix openSSL options doc
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13651)
Richard Levitte [Wed, 9 Dec 2020 16:50:20 +0000 (17:50 +0100)]
Remove unnecessary guards around MSBLOB and PVK readers and writers
The OPENSSL_NO_RC4 guard remain around protected PVK tests in
test/endecoder_test.c.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13648)
Richard Levitte [Wed, 9 Dec 2020 16:30:01 +0000 (17:30 +0100)]
PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4'
All these functions are usable with RSA keys, there's no reason why
they should be unaccessible when DSA or RC4 are disabled.
When DSA is disabled, it's not possible to use these functions for
DSA EVP_PKEYs. That's fine, and supported.
When RC4 is disabled, it's not possible to use these functions to
write encrypted PVK output. That doesn't even depend on the
definition of OPENSSL_NO_RC4, but if the RC4 algorithm is accessible
via EVP, something that isn't known when building libcrypto.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13648)
Richard Levitte [Fri, 11 Dec 2020 15:25:13 +0000 (16:25 +0100)]
Building: Fix the library file names for MSVC builds to include multilib
In OpenSSL 1.1.1, VC-WIN64I and VC-WIN64A have a 'multilib' attribute
set, which affect the names of the produced libcrypto and libssl DLLs.
This restores that for OpenSSL 3.0.
Fixes #13659
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13670)
Richard Levitte [Mon, 7 Dec 2020 11:28:57 +0000 (12:28 +0100)]
DOCS: Improve documentation of the EVP_PKEY type
This type was previously described in a note, which is hard to find
unless you already know where to look.
This change makes the description more prominent, and allows indexing
by adding it in the NAMES section.
The EVP_PKEY description is altered to conceptually allow an EVP_PKEY
to contain a private key without a corresponding public key. This is
related to an OTC vote:
https://mta.openssl.org/pipermail/openssl-project/2020-December/002474.html
The description of EVP_PKEY for MAC purposes is amended to fit.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13629)
Pauli [Fri, 11 Dec 2020 00:23:19 +0000 (10:23 +1000)]
params: add integer conversion test cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13663)
Pauli [Fri, 11 Dec 2020 00:21:44 +0000 (10:21 +1000)]
params: allow more variations in integer conversions.
Allow any sized integer to be converted to any other size integer via the
helpers.
Support for converting reals to/from integers remains restricted.
Fixes: #13429
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13663)
Richard Levitte [Tue, 1 Dec 2020 09:42:53 +0000 (10:42 +0100)]
DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations
Fixes #13441
We're also starting on a glossary, doc/man7/openssl-glossary.pod,
where terms we use should be explained. There's no need to explain
terms as essays, but at least a few quick lines, and possibly a
reference to some external documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13581)
Matt Caswell [Wed, 9 Dec 2020 10:40:56 +0000 (10:40 +0000)]
Fix some typos in EVP_PKEY-DH.pod
A missing newline messes up how the code sample is rendered. Also a few
miscellaneous typos are fixed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13643)
Matt Caswell [Wed, 2 Dec 2020 13:19:52 +0000 (13:19 +0000)]
Skip cms tests using RC2 if no legacy provider
Fixes #12510
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 13:16:33 +0000 (13:16 +0000)]
Don't run a legacy specific PKCS12 test if no legacy provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 13:09:28 +0000 (13:09 +0000)]
Don't use the legacy provider in test_store if its not available
If we don't have the legacy provider then we avoid having to use it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 13:01:54 +0000 (13:01 +0000)]
Don't load the legacy provider in test_evp_libctx unnecessarily
We don't need the legacy provider, so don't load it. This avoids
problems in a no-legacy build
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 12:56:16 +0000 (12:56 +0000)]
Don't load the legacy provider if not available in test_enc_more
If the legacy provider isn't available then we shouldn't attempt to
load or use it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 12:45:47 +0000 (12:45 +0000)]
Skip testing ciphers in the legacy provider if no legacy
test_enc should not test ciphers that are not available due to a lack
of the legacy provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 12:28:31 +0000 (12:28 +0000)]
Don't load the legacy provider in endecoder_legacy_test
In spite of the name the endecoder_legacy_test does not need the
legacy provider. Therefore we avoid loading it so that no-legacy
builds still run the test successfully.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 12:23:37 +0000 (12:23 +0000)]
Don't use legacy provider if not available in test_ssl_old
If we've been configured with no-legacy then we should not attempt to
load the legacy provider.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 12:03:31 +0000 (12:03 +0000)]
Fix sslapitest.c if built with no-legacy
We skip a test that uses the no-legacy option. Unfortuantely there is
no OPENSSL_NO_LEGACY to test, so we just check whether we were successful
in loading the legacy provider - and if not we skip the test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Wed, 2 Dec 2020 11:56:31 +0000 (11:56 +0000)]
Skip evp_test cases where we need the legacy prov and its not available
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
Matt Caswell [Thu, 3 Dec 2020 15:23:00 +0000 (15:23 +0000)]
Don't use no-asm in the Github CIs
no-asm has proven to be too slow, therefore we don't use it in the Github
CI builds and instead rely on it being covered by run-checker.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13607)
Shane Lontis [Mon, 23 Nov 2020 04:55:48 +0000 (14:55 +1000)]
Add fips self tests for all included kdf
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13480)
Shane Lontis [Fri, 20 Nov 2020 09:14:14 +0000 (19:14 +1000)]
Add validate method to ECX keymanager
Fixes #11619
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13459)
Dr. David von Oheimb [Mon, 7 Dec 2020 18:37:46 +0000 (19:37 +0100)]
apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
This includes a general correction in the code (now using the X509V3_CTX_REPLACE flag)
and adding a prominent clarification in the documentation:
If multiple entries are processed for the same extension name,
later entries override earlier ones with the same name.
This is due to an RFC 5280 requirement - the intro of its section 4.2 says:
A certificate MUST NOT include more than one instance of a particular extension.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Mon, 7 Dec 2020 17:25:10 +0000 (18:25 +0100)]
openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Mon, 7 Dec 2020 16:45:09 +0000 (17:45 +0100)]
v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Mon, 7 Dec 2020 12:28:39 +0000 (13:28 +0100)]
X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Mon, 7 Dec 2020 12:25:34 +0000 (13:25 +0100)]
openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Fri, 4 Dec 2020 11:42:24 +0000 (12:42 +0100)]
apps/x509.c: Factor out common aspects of X509 signing
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Fri, 4 Dec 2020 10:09:29 +0000 (11:09 +0100)]
apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Fri, 4 Dec 2020 10:01:08 +0000 (11:01 +0100)]
apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Fri, 4 Dec 2020 08:26:25 +0000 (09:26 +0100)]
x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Thu, 3 Dec 2020 16:09:20 +0000 (17:09 +0100)]
apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Dr. David von Oheimb [Sat, 26 Sep 2020 13:21:48 +0000 (15:21 +0200)]
Use adapted test_get_libctx() for simpler test setup and better error reporting
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13001)
Fangming.Fang [Tue, 28 Apr 2020 02:33:50 +0000 (02:33 +0000)]
Read MIDR_EL1 system register on aarch64
MIDR_EL1 system register exposes microarchitecture information so that
people can make micro-arch related optimization such as exposing as
much instruction level parallelism as possible.
MIDR_EL1 register can be read only if HWCAP_CPUID feature is supported.
Change-Id: Iabb8a36c5d31b184dba6399f378598058d394d4e
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11744)
projects / openssl.git / log