Commit Graph

30167 Commits

Author SHA1 Message Date
Todd Short
0449702abc Fix potential double-free
The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)
2021-08-16 12:56:53 +02:00
Tomas Mraz
0ec738433e Multiple fixes for getting pub key from legacy DH PKEY
There were multiple issues with getting OSSL_PKEY_PARAM_PUB_KEY
from a legacy EVP_PKEY DH and DHX keys.

Fixes #16247

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16253)
2021-08-16 12:55:08 +02:00
Tomas Mraz
4ccad35756 Correct documentation errors in regards to UTF8 params
This fixes numerous bugs in documentation in regards to UTF8
params and their sizes. The returned size should always be without the
terminating NUL byte. On the other hand on the requestor side
the size of the buffer should include the NUL byte if it expects it
being included in the returned string.

Also make this clear in the EVP_PKEY_get_group_name() documentation
which uses utf8 string params under the hood.

Fixes #16287

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16296)
2021-08-13 12:28:10 +02:00
Tomas Mraz
bd32bdb8b2 Add documentation about the multilib postfix and libdir
Fixes #16244

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16281)
2021-08-13 10:45:44 +02:00
Shane Lontis
254957f768 Allow small RSA exponents in the default provider
Fixes #16255

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16285)
2021-08-13 10:35:56 +02:00
Dmitry Belyavskiy
a5f4099d27 Disclaimer about the default provider activation added to config
Fixes #16249

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16280)
2021-08-12 09:59:34 +02:00
Pauli
dbd0244a16 genpkey: -quiet doesn't take an argument
Fixes #16238

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16240)
2021-08-12 16:26:22 +10:00
Todd Short
3465ec99ea Sort SSL_OP names in documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16236)
2021-08-11 18:13:33 +02:00
Todd Short
73dadb9300 Add missing SSL_OP flags
Add missing SSL_OP flags. Correct the list of flags set by SSL_OP_ALL.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16236)
2021-08-11 18:13:11 +02:00
Tomas Mraz
0f70d60134 EVP_CIPHER_CTX_set_key_length: Raise error when key length is not settable
If key length is different from the existing key length and it is not
a settable parameter, raise an error.

Fixes #16277

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16279)
2021-08-11 17:11:47 +02:00
Tomas Mraz
12e055991e dsatest: Properly detect failure in generate/sign/verify
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16268)
2021-08-11 12:07:08 +02:00
Tomas Mraz
aa5098021b Set FFC_PARAM_FLAG_VALIDATE_LEGACY on params generated with FIPS 186-2 gen
Fixes #16261

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16268)
2021-08-11 12:07:08 +02:00
Tomas Mraz
c96670e59a aes_v8_xts_encrypt is present only on 64bit arm builds
Fixes #16273

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16275)
2021-08-11 10:08:57 +02:00
Dmitry Belyavskiy
b4f1b7b658 Omitted signature_algorithms extension alerts updated
Fixes #15484

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16217)
2021-08-11 09:47:47 +02:00
David Bohman
ad2fc0bed4 MacOS: Add an include of <CommonCrypto/CommonCryptoError.h>
The include is added before <CommonCrypto/CommonRandom.h>,
as required by older releases of the macOS developer tools.

Fixes #16248

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16258)
2021-08-11 09:29:39 +02:00
Pauli
474294cb66 doc: remove errant claim that these are not FIPS okay
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16239)
2021-08-08 13:55:56 +10:00
Pauli
5e89262535 doc: Fix ECX FIPS documentation
Both Ed448 and Ed25519 were omitted from the signature list.
X448 and X25519 were flagged as not FIPS valid which wasn't correct.

Fixes #16234

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16239)
2021-08-08 13:55:56 +10:00
Tomas Mraz
c2b94c0a15 Avoid freeing the conf lhashes in X509_V3_EXT*_add_conf
Fixes #16226

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16227)
2021-08-06 17:32:06 +02:00
Dr. David von Oheimb
08e9ff7600 Fix CMP app TLS connection not respecting vpm options like -crl_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16225)
2021-08-06 14:44:25 +02:00
Amir Mohammadi
9b887d5d5a Fix test case for a2i_IPADDRESS
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16201)
2021-08-06 12:31:24 +02:00
Christian Heimes
1a9411a30b Test case for a2i_IPADDRESS
Unit test to show that a2i_IPADDRESS("1.2.3.4.test.example") ignores
trailing data.

See: https://github.com/openssl/openssl/issues/12649
See: https://bugs.python.org/issue41556
Signed-off-by: Christian Heimes <christian@python.org>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16201)
2021-08-06 12:31:24 +02:00
Amir Mohammadi
8b9a13b43b Fix ipv4_from_asc behavior on invalid Ip addresses
sscanf() call in ipv4_from_asc does not check that
the string is terminated immediately after the last digit.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16201)
2021-08-06 12:31:24 +02:00
Tomas Mraz
3f15358c79 X509_STORE_CTX_get_error: Fix some minor documentation issues
Original PR by Eric Valcik
(https://github.com/openssl/openssl/pull/12302)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16219)
2021-08-06 11:45:27 +10:00
Kelvin Lee
6ef8d2c69b Fix VS2019 compile error C4703: potentially uninitialized local pointer variable used.
encode_key2text.c(689): error C4703: potentially uninitialized local pointer variable 'modulus_label' used
encode_key2text.c(691): error C4703: potentially uninitialized local pointer variable 'exponent_label' used

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12845)
2021-08-06 09:24:23 +10:00
Tomas Mraz
37578dc02d cms: Fix handling of -rctform option
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16216)
2021-08-05 16:49:58 +02:00
Tomas Mraz
f5c0f69619 cms: Do not try to check binary format on stdin
Fixes #16195

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16216)
2021-08-05 16:49:58 +02:00
Tomas Mraz
204323446e req: Avoid segfault when -modulus is used
Fixes #16196

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16215)
2021-08-05 12:49:43 +02:00
Billy Brumley
3d4ca443b4 [doc/man3] documentation: BN_cmp manpage updates
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16214)
2021-08-05 12:25:40 +02:00
Pauli
46d5152031 test: add -macopt hexkey: to dgst command tests
Comparison checksum generated using 1.1.1f.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16212)
2021-08-05 10:14:33 +02:00
Pauli
5cdeb99f9c ctrls: add missing control string translation for key -> priv for HMAC
Fixes #16200

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16212)
2021-08-05 10:14:32 +02:00
Pauli
d209fc6cce evp_test: add TLS 1.3 KDF test suite
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
05bd00b8a6 test: add test cases for TLS 1.3 KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
c5f15fb28e update doc/build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
bf7c901160 fips: add power up test for TLS 1.3 KDF
The power up known answer test for the TLS 1.3 KDF does just the first step
to derive the "client_early_traffic_secret" using the two modes of the KDF.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
5961aedaa5 doc: add TLS 1.3 KDF to the FIPS provider list of algorithms.
Fix link to TLS1 PRF.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
e18ceda105 doc: reorder the string and int extract/expand param values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
9ff407a1dc doc: add links to new KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
94eb3cdd34 doc: add documentation for TLS13_KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:44:00 +10:00
Pauli
736dba012f provider: add TLS13_KDF to the default and FIPS providers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:43:59 +10:00
Pauli
f7d998a206 tls/prov: move the TLS 1.3 KDF code to providers
This function needs to be power up tested as part of the FIPS validation and
thus it needs to be inside the provider boundary.  This is realised by
introducing a new KDF "TLS13-KDF" which does the required massaging of
parameters but is otherwise functionally equivalent to HKDF.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:43:59 +10:00
Pauli
2cdf7c6a33 doc: add missing link directive in X942 KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16203)
2021-08-05 15:43:40 +10:00
Pauli
7587b5fd09 CI: remove spurious blank lines
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16174)
2021-08-05 15:41:29 +10:00
Pauli
ebe667b464 ci: specific gcc explicitly on the basic-gcc CI build
GitHub Actions default to clang not gcc so this is necessary now.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16174)
2021-08-05 15:41:29 +10:00
Pauli
7b917179d0 ci: separate the config dump from the configuration command
This avoids using the shell's `&&` and shortens the lines a bit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16174)
2021-08-05 15:41:29 +10:00
Dmitry Belyavskiy
6da0f27483 Document necessary error code processing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16187)
2021-08-05 10:03:42 +10:00
Tomas Mraz
6b9d3b7c5e Add oid_section to sysdefault.cnf to test adding new oids
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16210)
2021-08-05 09:21:00 +10:00
Tomas Mraz
b5c4dc6ce5 Prevent recursive call of OPENSSL_INIT_LOAD_CONFIG
If objects are added in a config file the OPENSSL_INIT_LOAD_CONFIG
will be called recursively which results in hang in RUN_ONCE.

Fixes #16186

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16210)
2021-08-05 09:21:00 +10:00
Dr. David von Oheimb
421953effe apps/pkeyutl.c: call ERR_print_errors() on all errors, including Signature Verification Failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16209)
2021-08-04 16:38:09 +02:00
Tomas Mraz
a8f35a5527 Use copy.pl to install the fips module on Windows
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16208)
2021-08-04 14:05:54 +02:00
Tomas Mraz
25ab542409 Windows, VMS: Do install_fips on install if fips is enabled
Also fix some inconsistencies and minor bugs related to the
install_fips target on Windows and VMS.

Fixes #16194

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16208)
2021-08-04 14:05:54 +02:00