Matt Caswell [Thu, 27 May 2021 15:47:14 +0000 (16:47 +0100)]
Ensure that we consume all the data when decoding an SPKI
If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Thu, 27 May 2021 15:24:00 +0000 (16:24 +0100)]
Use the right class/tag when decoding an embedded key
When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only handle the
universal class and don't know how to interpret the implicit tag.
Therefore we modify the data into a form the decoders can handle.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Tue, 25 May 2021 14:19:56 +0000 (15:19 +0100)]
Fix CTLOG_new_from_base64_ex()
Ensure that the libctx/propq are passed to d2i_PUBKEY_ex()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Fri, 21 May 2021 16:26:35 +0000 (17:26 +0100)]
Fix the expected output of printing certificates
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Tomas Mraz [Mon, 7 Jun 2021 09:54:04 +0000 (11:54 +0200)]
EVP_PKEY_new_raw_private_key: Allow zero length keys
Allocate at least one byte to distinguish a zero length key
from an unset key.
Fixes #15632
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
Larkin Nickle [Wed, 2 Jun 2021 18:17:40 +0000 (14:17 -0400)]
Fix compilation on systems with empty _POSIX_TIMERS
Systems such as Tru64 ship with broken headers that
have _POSIX_TIMERS defined but empty.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15598)
Pauli [Mon, 7 Jun 2021 11:07:21 +0000 (21:07 +1000)]
evp: avoid some calls to EVP_CIPHER_CTX_get_iv_length() because it's been called already
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:49:04 +0000 (09:49 +1000)]
evp: fix Coverity
1485670 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:45:40 +0000 (09:45 +1000)]
evp: fix Coverity
1485669 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:42:54 +0000 (09:42 +1000)]
evp: fix Coverity
1485668 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:39:55 +0000 (09:39 +1000)]
pkcs12: fix Coverity
1485667 logically dead code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:36:04 +0000 (09:36 +1000)]
evp: fix coverity
1485666 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:28:49 +0000 (09:28 +1000)]
evp: fix improper use of negative value issues
Coverity issues
1485662,
1485663 &
1485664.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:26:42 +0000 (09:26 +1000)]
afalg: fix coverity
1485661 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:23:41 +0000 (09:23 +1000)]
fix coverity
1485660 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Sun, 6 Jun 2021 23:20:16 +0000 (09:20 +1000)]
bio: improve error checking fixing coverity
1485659 &
1485665
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
Pauli [Mon, 7 Jun 2021 09:05:54 +0000 (19:05 +1000)]
doc: add PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 09:07:30 +0000 (19:07 +1000)]
doc: build changes for PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 05:14:47 +0000 (15:14 +1000)]
doc: add build info for cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 05:14:25 +0000 (15:14 +1000)]
doc: add references to cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 05:11:28 +0000 (15:11 +1000)]
doc: add cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 04:41:27 +0000 (14:41 +1000)]
doc: improve the cipher life cycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:38:25 +0000 (12:38 +1000)]
doc-nits: support out of source execution
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:35:06 +0000 (12:35 +1000)]
doc: remove empty section
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:28:29 +0000 (12:28 +1000)]
doc: add references to digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:28:02 +0000 (12:28 +1000)]
doc: add digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:27:39 +0000 (12:27 +1000)]
doc: add digest lifecycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Pauli [Mon, 7 Jun 2021 02:27:17 +0000 (12:27 +1000)]
life-cycles: update digest state table
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
Daniel Bevenius [Mon, 7 Jun 2021 04:01:54 +0000 (06:01 +0200)]
Add aix64-gcc-as architecture and p2align callback
This commit adds an architecture named aix64-gcc-as which can generate
assembler source code compatible with AIX assembler (as) instead of the
GNU Assembler (gas). This architecture name is then used in a callback
for the .p2align directive which is not available in AIX as.
The motivation for this addition came out of an issue we ran into when
working on upgrading OpenSSL in Node.js. We ran into the following
compilation error on one of the CI machines that uses AIX:
05:39:05 Assembler:
05:39:05 crypto/bn/ppc64-mont-fixed.s: line 4: Error In Syntax
This machine is using AIX Version 7.2 and does not have gas installed
and the .p2align directive is causing this error. After asking around if
it would be possible to install GAS on this machine I learned that AIX
GNU utils are not maintained as well as the native AIX ones and we
(Red Hat/IBM) have run into issues with the GNU utils in the past and if
possible it would be preferable to be able to use the AIX native
assembler.
Refs: https://github.com/nodejs/node/pull/38512
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15638)
Tomas Mraz [Fri, 4 Jun 2021 11:56:41 +0000 (13:56 +0200)]
X509_digest_sig: Handle RSA-PSS and EDDSA certificates
Identify digest from sigalg params for RSA-PSS and fallback
to SHA-256 for EDDSA.
Fixes #15477
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15618)
Dr. David von Oheimb [Thu, 4 Mar 2021 07:47:51 +0000 (08:47 +0100)]
Move trust-related decls from x509.h.in to x509_vfy.h.in
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Dr. David von Oheimb [Thu, 4 Mar 2021 06:36:21 +0000 (07:36 +0100)]
x509.h.in: extended 'documenting' comment on X509_TRUST_OK_ANY_EKU
This hopefully alleviates the fact that the name is unclear/misleading.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Dr. David von Oheimb [Wed, 23 Dec 2020 22:29:04 +0000 (23:29 +0100)]
Improve the documentation of cert path building and validation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Dr. David von Oheimb [Mon, 4 Jan 2021 07:50:42 +0000 (08:50 +0100)]
X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Dr. David von Oheimb [Mon, 4 Jan 2021 07:49:17 +0000 (08:49 +0100)]
x509_vfy.c: Improve a couple of internally documenting comments
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Dr. David von Oheimb [Mon, 4 Jan 2021 07:48:24 +0000 (08:48 +0100)]
x509_trs.c: rename to x509_trust.c and correct comment in trust_compat()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Shane Lontis [Mon, 7 Jun 2021 01:33:28 +0000 (11:33 +1000)]
Fix AIX FIPS DEP.
The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.
The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)
Dr. David von Oheimb [Thu, 3 Jun 2021 10:56:11 +0000 (12:56 +0200)]
BIO_write-ex(): Improve behavior in corner cases and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15608)
Shane Lontis [Thu, 3 Jun 2021 09:09:38 +0000 (19:09 +1000)]
Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag
Fixes #15531
DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.
Note that EVP_CIPHER_CTX_rand_key() uses this flag.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
Shane Lontis [Thu, 3 Jun 2021 00:54:13 +0000 (10:54 +1000)]
Document missing EC/SM2 params
Fixes #15548
Document OSSL_PKEY_PARAM_EC_PUB_X, OSSL_PKEY_PARAM_EC_PUB_Y and OSSL_PKEY_PARAM_DEFAULT_DIGEST
Added a section related to parameters for SM2.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15601)
Juergen Christ [Wed, 2 Jun 2021 17:33:50 +0000 (19:33 +0200)]
Test EVP_CipherInit sequences and resets
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results. Add some unit tests to cover these rather exotic use
cases.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
Juergen Christ [Fri, 28 May 2021 13:02:52 +0000 (15:02 +0200)]
Fix CipherInit on s390x.
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting. Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures. Fix this by recomputing
the function codes on the fly during updates and final operations.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
FdaSilvaYY [Thu, 3 Jun 2021 14:28:21 +0000 (16:28 +0200)]
Use rd instead rmdir
to avoid collision with rmdir.exe from cygwin or msys
Original idea by Mladen Turk @mturk
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15610)
Matt Caswell [Fri, 4 Jun 2021 08:39:32 +0000 (09:39 +0100)]
Fix generate_ssl_tests.pl
Fix the generate_ssl_tests.pl script so that it can be run standalone from
the command line according to the instructions in test/README.ssltest.md
Fixes #11430
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15617)
Tomas Mraz [Fri, 4 Jun 2021 15:01:24 +0000 (17:01 +0200)]
Elimination of some sources not needed in the FIPS_MODULE
Unfortunately in terms of fips.sources this does not mean much
given the way how the .h files are added via the dependency
information from the compiler.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15622)
Richard Levitte [Wed, 2 Jun 2021 19:19:18 +0000 (21:19 +0200)]
test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()
Even if $server_port isn't touched, it's still a number coming from
configuration. It's therefore not trustable as an indicator that the
ACCEPT line delivered a port number or an error indication.
$accept_msg is used instead to capture the port if there is one, and
be a better indicator of error.
Fixes #15557
Fixes #15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
Richard Levitte [Wed, 2 Jun 2021 06:14:08 +0000 (08:14 +0200)]
test/recipes/80-test_cmp_http.t: Simplify test_cmp_http()
test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.
Furthermore, the expected result isn't about exit codes, but about
true or false. This is better served by getting the value from
OpenSSL::Test::run(), and checking that value against $expected_result
with Test::More::is().
Fixes #15557
Fixes #15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
Pauli [Fri, 4 Jun 2021 10:14:07 +0000 (20:14 +1000)]
doc: update generated image files
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
Pauli [Fri, 4 Jun 2021 10:13:15 +0000 (20:13 +1000)]
doc: update Graphviz images to have a transparent background
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
Pauli [Fri, 4 Jun 2021 04:35:53 +0000 (14:35 +1000)]
property: move additional query functions to property_query.c
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)
Pauli [Fri, 4 Jun 2021 04:25:14 +0000 (14:25 +1000)]
property: improve ossl_property_find_property() function
This function searches a property list for a specific property and returns
a pointer to the definition if found. The existing version was O(n) time,
the improved O(log n).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)
Pauli [Fri, 4 Jun 2021 03:19:23 +0000 (13:19 +1000)]
Rename `n` field to `num_properties` in property definition structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)
Richard Levitte [Wed, 2 Jun 2021 04:49:09 +0000 (06:49 +0200)]
PROV: drop get_params() and gettable_params() from all encoder implementatio
They aren't needed at all any more, since the properties contain the
same information.
This also drops the parameter names OSSL_ENCODER_PARAM_OUTPUT_TYPE
and OSSL_ENCODER_PARAM_OUTPUT_STRUCTURE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Wed, 2 Jun 2021 04:37:43 +0000 (06:37 +0200)]
ENCODER: use property definitions instead of getting implementation parameters
The OSSL_ENCODER library used to ask each encoder implementation for
certain data in form of parameters to place them correctly in the
encoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.
Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Wed, 2 Jun 2021 04:32:00 +0000 (06:32 +0200)]
ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE
This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Tue, 1 Jun 2021 18:10:45 +0000 (20:10 +0200)]
PROV: drop get_params() and gettable_params() from all decoder implementations
They aren't needed at all any more, since the properties contain the
same information.
This also drops the parameter names OSSL_DECODER_PARAM_INPUT_TYPE
and OSSL_DECODER_PARAM_INPUT_STRUCTURE.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Tue, 1 Jun 2021 18:04:59 +0000 (20:04 +0200)]
DECODER: use property definitions instead of getting implementation parameters
The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to place them correctly in the
decoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.
Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.
This adds the "global" error reason ERR_R_INVALID_PROPERTY_DEFINITION,
which can be re-used elsewhere.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Tue, 1 Jun 2021 18:02:24 +0000 (20:02 +0200)]
property: Add functionality to query data from a property definition
This required making some OSSL_PROPERTY types a little less private.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Fri, 4 Jun 2021 08:25:00 +0000 (10:25 +0200)]
make update-fips-checksums
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)
Richard Levitte [Fri, 4 Jun 2021 08:19:40 +0000 (10:19 +0200)]
FIPS: don't include crypto/passphrase.c in libfips.a
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)
Matt Caswell [Tue, 1 Jun 2021 14:17:38 +0000 (15:17 +0100)]
Add documentation for newly added ASN1 functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 27 May 2021 14:03:06 +0000 (15:03 +0100)]
Ensure libctx/propq is propagated when handling X509_REQ
When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 27 May 2021 09:56:02 +0000 (10:56 +0100)]
Give ASN.1 objects the ability to report their libctx/propq
Some ASN.1 objects have an embedded libctx/propq. If they have one we
give the ASN.1 code the ability to find these values and use them where
needed. This is used for OSSL_CMP_MSG_dup() and X509_dup().
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 27 May 2021 08:00:47 +0000 (09:00 +0100)]
Make sure X509_dup() also dup's any associated EVP_PKEY
Otherwise we can end up with a blank EVP_PKEY. If it is later recreated
it can end up with the wrong libctx/propq.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Wed, 26 May 2021 16:18:13 +0000 (17:18 +0100)]
Use the new ASN.1 libctx aware capabilities in CMP
Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Tue, 25 May 2021 16:46:11 +0000 (17:46 +0100)]
Use the new ASN.1 libctx aware functions in CMS
Make sure we pass the libctx around when working with CMS structures
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Tue, 25 May 2021 16:16:18 +0000 (17:16 +0100)]
Teach more of the ASN.1 code about libctx/propq
Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this new
capability for PKCS7.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Fri, 21 May 2021 16:25:05 +0000 (17:25 +0100)]
Teach the ASN.1 code how to create embedded objects with libctx/propq
An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq in use then we need to make sure
we pass these down to the constructors of these embedded objects.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Fri, 21 May 2021 14:50:43 +0000 (15:50 +0100)]
Fix evp_extra_test to use libctx in an X509_PUBKEY
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Fri, 21 May 2021 14:50:09 +0000 (15:50 +0100)]
Provide the ability to create an X509_PUBKEY with a libctx/propq
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 3 Jun 2021 10:50:48 +0000 (11:50 +0100)]
Test a bad SmtpUTF8Mailbox name constraint
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
Matt Caswell [Thu, 3 Jun 2021 10:08:25 +0000 (11:08 +0100)]
Check that we got the expected name type when verifying name constraints
If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify that it really does before we
attempt to use the value in it.
Reported by Corey Bonnell
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
Tomas Mraz [Thu, 3 Jun 2021 13:26:52 +0000 (15:26 +0200)]
Update fips checksums to drop the ssl headers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)
Tomas Mraz [Thu, 3 Jun 2021 13:22:05 +0000 (15:22 +0200)]
Move libssl related defines used by fips provider to prov_ssl.h
This nicely reduces the number of files considered as fips
provider sources.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)
Pauli [Thu, 3 Jun 2021 04:27:28 +0000 (14:27 +1000)]
req: detect a bad choice of digest early
This is a regression against 1.1.1 when an unknown digest was detected
early.
Fixes #15285
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15602)
Tomas Mraz [Wed, 2 Jun 2021 07:35:44 +0000 (09:35 +0200)]
req: fix default bits handling for -newkey
Fixes #15569
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15582)
Dr. David von Oheimb [Wed, 2 Jun 2021 14:47:58 +0000 (16:47 +0200)]
80-test_http.t: Rename to 79-test_http.t, add basic HTTP server ACCEPT test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
Dr. David von Oheimb [Wed, 2 Jun 2021 13:52:26 +0000 (15:52 +0200)]
80-test_cmp_http.t: Improve comparison on server_port variable
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
Rich Salz [Wed, 2 Jun 2021 13:38:01 +0000 (09:38 -0400)]
Add md-nits task
Assumes that Ruby is installed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15590)
Matt Caswell [Wed, 2 Jun 2021 16:19:23 +0000 (17:19 +0100)]
Only call dtls1_start_timer() once
The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called directly by dtls1_handle_timeout(). We only need to start the timer
once.
Fixes #15561
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15595)
Dr. David von Oheimb [Wed, 2 Jun 2021 15:26:02 +0000 (17:26 +0200)]
CI windows.yml: Silence 'nmake' builds except 'minimal'; ci.yml: make 'minimal' build verbose
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15594)
Matt Caswell [Tue, 25 May 2021 11:38:19 +0000 (12:38 +0100)]
Teach ASN1_item_verify_ctx() how to handle provided keys
We need to special case RSA-PSS because that uses X509_ALGOR style
parameters and we have no support for this on the provider side at this
stage.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15527)
Tomas Mraz [Wed, 2 Jun 2021 15:01:41 +0000 (17:01 +0200)]
openssl spkac: Fix reading SPKAC data from stdin
Fixes #15367
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15593)
Tomas Mraz [Wed, 2 Jun 2021 13:15:45 +0000 (15:15 +0200)]
OPENSSL_init_crypto must return 0 when cleanup was done
Fixes #15581
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15589)
bonniegong [Wed, 2 Jun 2021 07:35:18 +0000 (15:35 +0800)]
Check the return value of ASN1_STRING_length
ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution of OPENSSL_malloc().
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15583)
Jon Spillett [Wed, 2 Jun 2021 01:20:25 +0000 (11:20 +1000)]
80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases
Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)
Richard Levitte [Wed, 2 Jun 2021 09:07:20 +0000 (11:07 +0200)]
Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst
Fixes #15519
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15584)
Richard Levitte [Wed, 2 Jun 2021 06:45:28 +0000 (08:45 +0200)]
Restore all the ? in util/libcrypto.num
They will become numbers again when beta1 is actually released.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)
Richard Levitte [Wed, 2 Jun 2021 04:20:05 +0000 (06:20 +0200)]
util/mknum.pl: Really allow unset ordinals in development
Any pre-release tag that includes '-dev' is development. The ordinals
don't need to be finalized before '-dev' is removed (i.e. a release is
made).
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)
Shane Lontis [Wed, 2 Jun 2021 04:42:56 +0000 (14:42 +1000)]
Fix errors found by parfait static analyser.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15579)
Pauli [Tue, 1 Jun 2021 08:35:15 +0000 (18:35 +1000)]
rsa: make the maximum key strength check FIPS only.
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.
Fixes #15502
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
yuechen-chen [Mon, 24 May 2021 06:33:55 +0000 (23:33 -0700)]
Add an EVP demo for signatures using EC
Fixes #14115
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15429)
Pauli [Wed, 2 Jun 2021 00:54:56 +0000 (10:54 +1000)]
update checksums
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)
Pauli [Wed, 2 Jun 2021 00:37:10 +0000 (10:37 +1000)]
util: update FIPS checksumming script to be more aggressive with whitespace
Fixes #15562
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)
Jon Spillett [Mon, 31 May 2021 03:50:02 +0000 (13:50 +1000)]
Add enable-fips to CI configuration
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
Jon Spillett [Mon, 31 May 2021 03:14:24 +0000 (13:14 +1000)]
Disable tracing within the FIPS module
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
Tomas Mraz [Tue, 1 Jun 2021 12:54:43 +0000 (14:54 +0200)]
ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE
Fixes #15552
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
Dr. David von Oheimb [Thu, 27 May 2021 13:11:31 +0000 (15:11 +0200)]
80-test_cms.t: Replace use of ee-self-signed.pem by more suitable smrsa1.pem
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
Dr. David von Oheimb [Thu, 27 May 2021 12:10:58 +0000 (14:10 +0200)]
ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
Pauli [Tue, 1 Jun 2021 11:48:29 +0000 (21:48 +1000)]
list: update to not use XXX_get_number() calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
projects / openssl.git / log