Tomas Mraz [Fri, 12 Mar 2021 14:23:03 +0000 (15:23 +0100)]
Use --debug with no-caching build as sanitizers need it
The memleak test otherwise fails.
Also disable async, dtls, and old tls versions to test some
different combination of disableables and speed up tests.
Fixes #14337
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14536)
Matt Caswell [Tue, 9 Mar 2021 17:28:44 +0000 (17:28 +0000)]
Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()
These functions now work for more key types than they did in 1.1.1
Fixes #14477
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Matt Caswell [Tue, 9 Mar 2021 17:07:48 +0000 (17:07 +0000)]
Ensure that ECX keys pass EVP_PKEY_param_check()
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes #14482
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Matt Caswell [Tue, 9 Mar 2021 14:40:54 +0000 (14:40 +0000)]
Add a CHANGES entry for the cosmetic differences in textual output
Numerous functions have had their textual output amended. We add
a CHANGES entry for this.
Fixes #14476
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Tomas Mraz [Sat, 6 Mar 2021 13:19:14 +0000 (14:19 +0100)]
apps: Make load_key_certs_crls to read only what is expected
The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)
Tomas Mraz [Fri, 5 Mar 2021 20:05:35 +0000 (21:05 +0100)]
apps: Add maybe_stdin argument to load_certs and set it in pkcs12
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)
div2016bit [Fri, 12 Mar 2021 23:35:24 +0000 (15:35 -0800)]
Tiny clarification of comment for RSA_sign
CLA: trivial
On line 136, a period is added. I think this is what was intended.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14540)
Shane Lontis [Thu, 11 Mar 2021 03:36:27 +0000 (13:36 +1000)]
Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.
Fixes #14480
An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.
In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.
Before this change dsa used fips186_2 by default in the default
provider.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
Tomas Mraz [Fri, 12 Mar 2021 16:14:09 +0000 (17:14 +0100)]
keymgmt_meth: remove two TODO 3.0
The first TODO 3.0 is not really a TODO, just a comment.
The second one is something that is needed for compatibility
with existing applications. There is no major reason in
trying to change this behavior right now.
Fixes #14400
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14534)
Tobias Nießen [Thu, 11 Mar 2021 22:04:18 +0000 (23:04 +0100)]
Fix option description for PKCS#12 export
Refs: https://github.com/openssl/openssl/pull/4930
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14520)
Matt Caswell [Fri, 12 Mar 2021 15:43:40 +0000 (15:43 +0000)]
Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment
The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix it, but it does
not need to be done in the 3.0 timeframe.
Fixes #14376
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14533)
Matt Caswell [Fri, 12 Mar 2021 15:33:55 +0000 (15:33 +0000)]
Remove a TODO from async_delete_thread_state()
There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a change
but there are no plans to do that at the moment.
Fixes #14402
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14532)
Shane Lontis [Fri, 12 Mar 2021 02:32:44 +0000 (12:32 +1000)]
Remove TODO in rsa_ameth.c
Fixes #14390
The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is not
necessary. The assert has been removed when it does the test.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14524)
Shane Lontis [Fri, 12 Mar 2021 02:53:14 +0000 (12:53 +1000)]
Remove TODO in test/acvp_test.c related to setting AES-GCM iv.
Fixes #14330
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14525)
Rich Salz [Thu, 18 Feb 2021 20:31:56 +0000 (15:31 -0500)]
Always check CRYPTO_LOCK_{read,write}_lock
Some functions that lock things are void, so we just return early.
Also make ossl_namemap_empty return 0 on error. Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.
Fixes: #14230
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)
Dr. David von Oheimb [Wed, 10 Mar 2021 16:27:13 +0000 (17:27 +0100)]
apps/ts.c: Allow -untrusted arg to refer to multiple sources
This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
Dr. David von Oheimb [Wed, 10 Mar 2021 16:21:37 +0000 (17:21 +0100)]
TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
Pauli [Thu, 11 Mar 2021 22:30:33 +0000 (08:30 +1000)]
ssl: fix format specifier for size_t argument to BIO_printf
Fixes #14519
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14521)
Tomas Mraz [Fri, 12 Mar 2021 12:49:28 +0000 (13:49 +0100)]
acvp_test: Do not expect exact number of self tests
There might be more because internal instances of the DRBG
might be initialized for the first time and thus
self-tested as well.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
Tomas Mraz [Thu, 11 Mar 2021 19:04:06 +0000 (20:04 +0100)]
Remove the RAND_get0_public() from fips provider initialization
It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly set up.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
Tomas Mraz [Thu, 11 Mar 2021 17:02:52 +0000 (18:02 +0100)]
Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto
Calling OPENSSL_init_crypto(0, NULL) is a no-op and will
not properly initialize thread local handling.
Only the calls that are needed to initialize thread locals
are kept, the rest of the no-op calls are removed.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
Jakub Zelenka [Sun, 7 Mar 2021 20:35:35 +0000 (20:35 +0000)]
Update CHANGES with info about AuthEnvelopedData addition
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14456)
Pauli [Wed, 10 Mar 2021 09:37:02 +0000 (19:37 +1000)]
rename ossl_provider_forall_loaded to ossl_provider_doall_activated
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
Pauli [Wed, 10 Mar 2021 01:46:00 +0000 (11:46 +1000)]
doc: describe the return from ossl_provider_forall_loaded()
Also correct an incorrect statement about non-activated providers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
Pauli [Wed, 10 Mar 2021 01:39:59 +0000 (11:39 +1000)]
core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks
To avoid recursive lock issues, a copy is taken of the provider list and
the callbacks are made without holding the store lock.
Fixes #14251
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
Matt Caswell [Wed, 10 Mar 2021 10:34:18 +0000 (10:34 +0000)]
Don't crash if the pkeyopt doesn't have a value
All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash
Fixes #14494
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14496)
Pauli [Wed, 10 Mar 2021 08:40:00 +0000 (18:40 +1000)]
update set_ctx_param store management calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 10 Mar 2021 08:38:04 +0000 (18:38 +1000)]
update set_ctx_param DRBG calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 10 Mar 2021 08:37:07 +0000 (18:37 +1000)]
update set_ctx_param MAC calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 10 Mar 2021 08:28:35 +0000 (18:28 +1000)]
prov: add extra params argument to KDF implementations
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 3 Mar 2021 01:32:39 +0000 (11:32 +1000)]
doc: note that get_params and set_params calls should return true if the param array is null
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 3 Mar 2021 01:26:51 +0000 (11:26 +1000)]
doc: document the additional params argument to the various init() calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:46:24 +0000 (22:46 +1000)]
support params argument to AES cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 3 Mar 2021 00:59:18 +0000 (10:59 +1000)]
doc: update cipher documentation to include the new init functions with params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:46:04 +0000 (22:46 +1000)]
prov: support params argument to common cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:45:34 +0000 (22:45 +1000)]
prov: support param argument to DES cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:45:13 +0000 (22:45 +1000)]
prov: support param argument to null cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:44:53 +0000 (22:44 +1000)]
prov: support params argument to CHACHA20 ciphers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:44:25 +0000 (22:44 +1000)]
prov: support params argument to RCx ciphers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:43:36 +0000 (22:43 +1000)]
prov: support params arguments to signature init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 23:20:21 +0000 (09:20 +1000)]
prov: update digests to support modified ctx params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 3 Mar 2021 00:59:01 +0000 (10:59 +1000)]
doc: update digest documentation to include the new init functions with params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:42:41 +0000 (22:42 +1000)]
prov: support param argument to digest init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:42:10 +0000 (22:42 +1000)]
doc: document param argument to RSA calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:41:58 +0000 (22:41 +1000)]
doc: document param argument to cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:41:24 +0000 (22:41 +1000)]
test: support params arguments to init functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:41:10 +0000 (22:41 +1000)]
ssl: support params arguments to init functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:40:25 +0000 (22:40 +1000)]
apps: support param argument to init functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:01:12 +0000 (22:01 +1000)]
prov: update KEM to support params on init()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 12:00:53 +0000 (22:00 +1000)]
prov: update exchange algorithms to support params on the init call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 10:21:00 +0000 (20:21 +1000)]
misc: other init function param additions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Wed, 3 Mar 2021 01:02:42 +0000 (11:02 +1000)]
doc: update PKEY documentation to include the new init functions with params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 10:20:25 +0000 (20:20 +1000)]
evp: add params arguments to init functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 09:05:39 +0000 (19:05 +1000)]
core: add params arguments to init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Tue, 2 Mar 2021 09:04:55 +0000 (19:04 +1000)]
prov: asym ciphers take an extra init() params argument
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Mon, 1 Mar 2021 23:05:15 +0000 (09:05 +1000)]
doc: add params argument to key manager's gen_init call
Fixes #14286
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Mon, 1 Mar 2021 23:03:00 +0000 (09:03 +1000)]
core: add params argument to key manager's gen_init call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Mon, 1 Mar 2021 23:02:25 +0000 (09:02 +1000)]
provider: add params argument to key manager's gen_init call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Mon, 1 Mar 2021 23:01:33 +0000 (09:01 +1000)]
evp: add params argument to key manager's gen_init call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Pauli [Mon, 1 Mar 2021 23:01:14 +0000 (09:01 +1000)]
test: add params argument to key manager's gen_init call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
Rich Salz [Thu, 18 Feb 2021 21:27:08 +0000 (16:27 -0500)]
Fix error-checking compiles for mutex
Fixes: #14229
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14264)
Anthony Hu [Wed, 10 Mar 2021 16:15:57 +0000 (11:15 -0500)]
Increase the upper limit on group name length
While all the standardized groups would fit within the old limit,
with the addition of providers, some might want to experiment with
new and unstandardized groups. As such, their names might not fit
within the old limit.
Define it as GROUP_NAME_BUFFER_LENGTH with value 64.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14502)
Richard Levitte [Tue, 9 Mar 2021 17:49:06 +0000 (18:49 +0100)]
TEST: Stop the cleanup in test/recipes/20-test_mac.t
Let the files remain to make test forensics easy
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14484)
Richard Levitte [Tue, 9 Mar 2021 17:23:39 +0000 (18:23 +0100)]
PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl()
This is in gmac_final(), where the cipher is known to be fetched.
It's more suitable to use OSSL_PARAMs than _ctrl functions, as the
latter are expected to become obsolete.
Fixes #14359
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14484)
Dr. David von Oheimb [Tue, 9 Mar 2021 12:32:43 +0000 (13:32 +0100)]
openssl-cmp.pod.in and apps/cmp.c: Various minor do improvements
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14493)
Matt Caswell [Thu, 11 Mar 2021 13:47:21 +0000 (13:47 +0000)]
Prepare for 3.0 alpha 14
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 11 Mar 2021 13:47:12 +0000 (13:47 +0000)]
Prepare for release of 3.0 alpha 13
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 11 Mar 2021 13:27:36 +0000 (13:27 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14512)
Vincent Drake [Mon, 1 Mar 2021 19:38:02 +0000 (14:38 -0500)]
Use read/write locking on Windows
Fixes #13914
The "SRWLock" synchronization primitive is available in Windows Vista
and later. CRYPTO_THREAD functions now use SRWLock functions when the
target operating system supports them.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14381)
panda [Mon, 8 Mar 2021 21:12:42 +0000 (13:12 -0800)]
Check SSL_set1_chain error in set_cert_cb
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14469)
Pedro Monreal [Thu, 4 Mar 2021 16:01:50 +0000 (17:01 +0100)]
Fix reason code: EVP_R_OPERATON_NOT_INITIALIZED
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14429)
Pauli [Tue, 9 Mar 2021 00:57:05 +0000 (10:57 +1000)]
test: convert store test to use relative paths
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Pauli [Fri, 5 Mar 2021 01:24:34 +0000 (11:24 +1000)]
core: add up_ref callback for OSSL_CORE_BIO
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Pauli [Thu, 4 Mar 2021 03:53:53 +0000 (13:53 +1000)]
Add a real type for OSSL_CORE_BIO which is distinct from and not castable to BIO
Providers (particularly the FIPS provider) needs access to BIOs from libcrypto.
Libcrypto is allowed to change the internal format of the BIO structure and it
is still expected to work with providers that were already built. This means
that the libcrypto BIO must be distinct from and not castable to the provider
side OSSL_CORE_BIO.
Unfortunately, this requirement was broken in both directions. This fixes
things by forcing the two to be different and any casts break loudly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Shane Lontis [Tue, 9 Mar 2021 07:27:55 +0000 (17:27 +1000)]
Use BIO_f_readbuffer() in the decoder to support stdin.
Fixes #13185
Fixes #13352
Removed the existing code in file_store that was trying to figure out the
input type.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14407)
Shane Lontis [Tue, 9 Mar 2021 07:25:26 +0000 (17:25 +1000)]
Add new filter BIO BIO_f_readbuffer()
This allows BIO_tell() and BIO_seek() to work for BIO's that do
not support these methods. The main use case for this is file/fd BIO's
that use stdin.
This works for stdin taken from input redirection (command < file),
and stdin via pipe (cat file | command).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14407)
Tomas Mraz [Tue, 9 Mar 2021 13:59:20 +0000 (14:59 +0100)]
Fix formatting error of HISTORY section in some manual pages.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)
Tomas Mraz [Fri, 5 Mar 2021 21:11:49 +0000 (22:11 +0100)]
Change default algorithms in PKCS12_create() and PKCS12_set_mac()
Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the default values
when calling the API.
Fixes #14034
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)
Matt Caswell [Mon, 8 Mar 2021 17:15:55 +0000 (17:15 +0000)]
Mention the change of licence in NEWS.md
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)
Matt Caswell [Mon, 8 Mar 2021 16:23:14 +0000 (16:23 +0000)]
Expand the CHANGES entry for SHA1 and libssl
As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the ClientHello does not have a signature algorithms extension.
Fixes #14447
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)
Matt Caswell [Mon, 8 Mar 2021 16:18:26 +0000 (16:18 +0000)]
Add a CHANGES for OSSL_STORE_INFO_get_type()
The function OSSL_STORE_INFO_get_type() may now return a new object
type. Applications may have to be amended accordingly.
Fixes #14446
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)
Matt Caswell [Mon, 8 Mar 2021 16:06:17 +0000 (16:06 +0000)]
Add a missing CHANGES.md entry for the legacy provider
Numerous ciphers and digests have been moved to the legacy provider.
There should be a CHANGES.md entry pointing this out.
Fixes #14441
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)
Dmitry Belyavskiy [Mon, 8 Mar 2021 20:36:10 +0000 (21:36 +0100)]
Non-const accessor to legacy keys
Fixes #14466.
Reverting the changes of the EVP_PKEY_get0 function.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14468)
Arthur Gautier [Sat, 6 Mar 2021 23:08:08 +0000 (23:08 +0000)]
EVP_KDF-KB man page: Fix typo in the example code
CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14455)
Alistair Francis [Thu, 4 Mar 2021 17:10:11 +0000 (12:10 -0500)]
Fixup support for io_pgetevents_time64 syscall
This is a fixup for the original commit
5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
"Add support for io_pgetevents_time64 syscall" that didn't correctly
work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V.
For a full discussion of the issue see:
https://github.com/openssl/openssl/commit/
5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14432)
Dr. David von Oheimb [Mon, 8 Mar 2021 07:04:54 +0000 (08:04 +0100)]
cmp_hdr.c: Fix minor Coverity issue CID
1473605
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14460)
Dr. David von Oheimb [Mon, 8 Mar 2021 06:58:04 +0000 (07:58 +0100)]
http_test.c: Fix minor Coverity issue CID
1473608
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14460)
Shane Lontis [Thu, 4 Mar 2021 03:54:40 +0000 (13:54 +1000)]
Reword repeated words.
A trivial PR to remove some commonly repeated words. It looks like this is
not the first PR to do this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14420)
Tomas Mraz [Fri, 5 Mar 2021 17:19:12 +0000 (18:19 +0100)]
apps/pkcs12: Allow continuing on absent mac
Just print a warning in that case.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
Tomas Mraz [Fri, 5 Mar 2021 17:08:05 +0000 (18:08 +0100)]
apps/pkcs12: Detect missing PKCS12KDF support on import
Report error message with hint to use -nomacver if
MAC verification is not required.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
Tomas Mraz [Fri, 5 Mar 2021 16:22:35 +0000 (17:22 +0100)]
apps/pkcs12: Properly detect MAC setup failure
The MAC requires PKCS12KDF support which is not present
in FIPS provider as it is not an approved KDF algorithm.
Suggest using -nomac if MAC is not required.
Fixes #14057
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
Armin Fuerst [Mon, 8 Mar 2021 20:14:50 +0000 (21:14 +0100)]
fake_rand_finish should be called if "OPENSSL_NO_SM2" is NOT defined
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14471)
Matt Caswell [Thu, 4 Mar 2021 16:33:26 +0000 (16:33 +0000)]
Fix the check for suitable groups and TLSv1.3
If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable
group available. This check was not always working
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14430)
Matt Caswell [Tue, 2 Mar 2021 15:52:00 +0000 (15:52 +0000)]
Make the EVP_PKEY_get0* functions have a const return type
OTC have decided that the EVP_PKEY_get0* functions should have a const
return type. This is a breaking change to emphasise that these values
should be considered as immutable.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Matt Caswell [Thu, 25 Feb 2021 17:00:38 +0000 (17:00 +0000)]
Document the change in behaviour of the the low level key getters/setters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Matt Caswell [Thu, 25 Feb 2021 16:27:46 +0000 (16:27 +0000)]
Ensure the various legacy key EVP_PKEY getters/setters are deprecated
Most of these were already deprecated but a few have been missed. This
commit corrects that.
Fixes #14303
Fixes #14317
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Matt Caswell [Wed, 24 Feb 2021 16:38:28 +0000 (16:38 +0000)]
Cache legacy keys instead of downgrading them
If someone calls an EVP_PKEY_get0*() function then we create a legacy
key and cache it in the EVP_PKEY - but it doesn't become an "origin" and
it doesn't ever get updated. This will be documented as a restriction of
the EVP_PKEY_get0*() function with provided keys.
Fixes #14020
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Matt Caswell [Wed, 24 Feb 2021 15:04:41 +0000 (15:04 +0000)]
Avoid a null pointer deref on a malloc failure
Make sure we were sucessful in creating an EVP_PKEY
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Matt Caswell [Fri, 29 Jan 2021 17:25:33 +0000 (17:25 +0000)]
Add a multi thread test for downgrading keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14319)
Dmitry Belyavskiy [Fri, 5 Mar 2021 17:50:37 +0000 (18:50 +0100)]
Restore GOST macros compatibility with 1.1.1
Fixes #14440
Before IANA assigned the official codes for the GOST signature
algorithms in TLS, the values from the Reserved for Private Use range
were in use in Russia. The old values were renamed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14448)