Commit Graph

3999 Commits

Author SHA1 Message Date
Matt Caswell
4bf696c1d0 Correctly detect decode errors when checking if a key is supported
If we have an unsupported key type we may get a decode error and
therefore we should detect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
33fb6ed3ec Use the fips-and-base.cnf config file in CMP tests
Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
15fd6c235c Mark some priv/public key paris as only available in the default provider
Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
237cb05d34 Just look for "Unable to load Public Key" if no SM2
The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.

With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
eaf867011e Fix the expected output of printing certificates
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Tomas Mraz
92b835376a EVP_PKEY_new_raw_private_key: Allow zero length keys
Allocate at least one byte to distinguish a zero length key
from an unset key.

Fixes #15632

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
2021-06-08 22:01:34 +10:00
Shane Lontis
f41fd10d90 Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag
Fixes #15531

DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.

Note that EVP_CIPHER_CTX_rand_key() uses this flag.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
2021-06-08 15:16:06 +10:00
Juergen Christ
063e019738 Test EVP_CipherInit sequences and resets
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x.  Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results.  Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
2021-06-08 14:32:44 +10:00
Matt Caswell
8984b552e7 Fix generate_ssl_tests.pl
Fix the generate_ssl_tests.pl script so that it can be run standalone from
the command line according to the instructions in test/README.ssltest.md

Fixes #11430

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15617)
2021-06-07 11:02:42 +01:00
Richard Levitte
97cf9b05fa test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()
Even if $server_port isn't touched, it's still a number coming from
configuration.  It's therefore not trustable as an indicator that the
ACCEPT line delivered a port number or an error indication.

$accept_msg is used instead to capture the port if there is one, and
be a better indicator of error.

Fixes #15557
Fixes #15571

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
2021-06-06 07:34:44 +02:00
Richard Levitte
d00be9f387 test/recipes/80-test_cmp_http.t: Simplify test_cmp_http()
test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.

Furthermore, the expected result isn't about exit codes, but about
true or false.  This is better served by getting the value from
OpenSSL::Test::run(), and checking that value against $expected_result
with Test::More::is().

Fixes #15557
Fixes #15571

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
2021-06-06 07:34:44 +02:00
Matt Caswell
d2b6c06274 Ensure libctx/propq is propagated when handling X509_REQ
When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
c631378058 Use the new ASN.1 libctx aware capabilities in CMP
Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
6265348346 Fix evp_extra_test to use libctx in an X509_PUBKEY
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
f43f9d6313 Test a bad SmtpUTF8Mailbox name constraint
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
2021-06-04 17:18:31 +01:00
Dr. David von Oheimb
5d8ea84efa 80-test_http.t: Rename to 79-test_http.t, add basic HTTP server ACCEPT test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
2021-06-04 07:07:32 +02:00
Dr. David von Oheimb
c796cc9768 80-test_cmp_http.t: Improve comparison on server_port variable
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
2021-06-04 07:07:32 +02:00
Jon Spillett
f6b6574cd7 80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases
Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)
2021-06-03 16:14:15 +02:00
Pauli
6436030486 rsa: make the maximum key strength check FIPS only.
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.

Fixes #15502

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
2021-06-03 15:32:38 +10:00
Tomas Mraz
ea82158103 ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE
Fixes #15552

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
2021-06-02 17:17:51 +02:00
Dr. David von Oheimb
4388417157 80-test_cms.t: Replace use of ee-self-signed.pem by more suitable smrsa1.pem
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
2021-06-02 14:49:13 +02:00
Dr. David von Oheimb
07e84e67a6 ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
2021-06-02 14:49:13 +02:00
Pauli
fd009d763a test: remove TODOs
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)
2021-06-02 16:30:15 +10:00
Tomas Mraz
b3c2ed7043 Add NCONF_get_section_names()
And a few additional fixups to make the no-deprecated configuration
to build.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15466)
2021-06-02 12:40:02 +10:00
Tomas Mraz
7e8d6bafd0 Make the 00-prep_*.t recipe truly mandatory
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
2021-06-01 15:07:51 +02:00
Tomas Mraz
c4e9167437 Rename also the OSSL_PROVIDER_name() function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:43:57 +02:00
Tomas Mraz
ed576acdf5 Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.

Fixes #15236

Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:40:00 +02:00
Jon Spillett
169eca602c Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
2021-06-01 12:16:27 +02:00
Shane Lontis
e2311445bb Fix aes cfb1 so that it can operate in bit mode.
The code to handle the cipher operation was already in the provider.
It just needed a OSSL_PARAM in order to set this into the algorithm.
EVP_CIPHER_CTX_set_flags() has been modified to pass the OSSL_PARAM.

Issue reported by Mark Powers from Acumen.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Shane Lontis
f505161e62 Fix PKCS7_verify to not have an error stack if it succeeds.
Revert a change in behavior to BIO_write(). If a NULL BIO
is passed, no error is raised and the return value is 0. There are
many places where the return code from the write was not checked,
resulting in an error stack with no error status being returned.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15493)
2021-05-31 08:45:58 +10:00
Pauli
23e97567be test: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Dr. David von Oheimb
d357dd51cb apps/lib/s_socket.c and 80-test_cmp_http.t: Make ACCEPT port reporting more robust
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Shane Lontis
189c4759eb Fix intermittent CI failure in evp_kdf_test for non_caching build.
Fixes #15515

Another case of the order that tests run in causes a failure.
A new test was loading "legacy" into the default lib ctx. If it
ran first then everything fails. The test now has its own lib ctx.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15516)
2021-05-29 07:20:01 +10:00
Shane Lontis
da5f770ae3 Fix PKCS12_create() so that a fetch error is not added to the error stack.
Fixes #15392

PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail to the EVP_CIPHER_fetch() call, so the fallback to
a legacy algorithm always happens. In this case the error stack should
ignore the fetch error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15473)
2021-05-28 13:54:19 +02:00
Dr. David von Oheimb
91f2b15f2e TEST: Prefer using precomputed RSA and DH keys for more efficient tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Pauli
422da9bbfb test: test MP genrsa in deprecated builds
These multi-prime tests were omitted when genrsa was deprecated but not
returned when it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
5c99d57ea3 test: add test for key generation strength > RNG strength
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
dfad3a00be test: test genrsa in deprecated builds
These tests were omitted when genrsa was deprecated but not returned when
it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Rich Salz
449bdf3746 Use "" for include internal/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
2021-05-27 09:56:41 +10:00
Rich Salz
6229815ab8 Use <> for #include openssl/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
2021-05-27 09:56:41 +10:00
Tomas Mraz
0800318a0c Deprecate old style BIO callback calls
New style BIO_debug_callback_ex() function added to provide
replacement for BIO_debug_callback().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15440)
2021-05-26 17:18:34 +02:00
Richard Levitte
7c499c7da9 TEST: Add test specific fipsmodule.cnf, and use it
We add the concept of preparation recipes, which are performed
unconditionally.  They are all expected to match the pattern
test/recipes/00-prep_*.t.

We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t,
which helps us generate a test specific fipsmodule.cnf, to be used by
all other tests.

Fixes #15166

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
2021-05-26 15:11:01 +02:00
Tomas Mraz
05814be8d6 Add negative test cases for PEM_read_bio_PrivateKey
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15441)
2021-05-26 13:04:38 +02:00
Pauli
b59b2f93a1 test: update RSA test with current bit strengths
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/15428)
2021-05-26 20:39:38 +10:00
Shane Lontis
1ee04b791b Fix buffer overflow when generating large RSA keys in FIPS mode.
A pairwise test runs only in FIPS mode.
An assumption about the size of the 'to' buffer passed to
RSA_private_decrypt() was incorrect. It needs to be up to RSA_size()
bytes long - so a fixed buffer of 256 bytes was not large enough.
An exiting malloc has increased in size to allocate buffer space for
both the encrypt and decrypt buffer.

The existing test used 2080 bits which was not quite large enough to
trigger the issue. A test using 3072 bits has been added.

Reported by Mark Powers from Acumen.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15447)
2021-05-26 17:57:37 +10:00
Petr Gotthard
9080ed2175 Fix building of test/pbetest.c
The test_pkcs5_pbe() function is required twice:
once `if !defined OPENSSL_NO_RC4 && !defined OPENSSL_NO_MD5`
and once `if !defined OPENSSL_NO_DES && !defined OPENSSL_NO_SHA1`

Hence there should be `||` between those. Currently the build fails
if the first condition is false, while the second is true.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15432)
2021-05-26 10:20:24 +10:00
Jon Spillett
b8c09a893c Add special case to skip RC4 reinit
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
2021-05-26 07:27:25 +10:00
Jon Spillett
2710ddef6f Add an evp_libctx_test test run for legacy provider
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
2021-05-26 07:27:25 +10:00
Pauli
36b6db08fe test: add evp_tests for the MAC size and block size
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15427)
2021-05-25 17:23:50 +10:00
Shane Lontis
2abffec0f0 Add fipsinstall option to run self test KATS on module load
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15149)
2021-05-25 14:57:48 +10:00
Richard Levitte
733094ec6b TEST: Avoid using just 'example.com' - test_cmp_http
We have reports that some are using example.com in their /etc/hosts
for testing purposes, so we can't necessarily assume that those will
fail.

We fix it by using "random" hosts in that domain.

Fixes #15395

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15398)
2021-05-24 14:38:40 +02:00
Jon Spillett
094287551a Add a test for PKCS5_PBE_keyivgen()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
2021-05-24 15:23:37 +10:00
Jon Spillett
0f183675b8 Add PBKDF1 to the legacy provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
2021-05-24 15:21:25 +10:00
Shane Lontis
7c14d0c1c0 Rename the field 'provctx and data' to 'algctx' inside some objects containing
pointers to provider size algorithm contexts.

Fixes #14284

The gettable_ctx_params methods were confusingly passing a 'provctx' and
a provider context which are completely different objects.
Some objects such as EVP_KDF used 'data' while others such as EVP_MD used 'provctx'.

For libcrypto this 'ctx' is an opaque ptr returned when a providers algorithm
implementation creates an internal context using a new_ctx() method.
Hence the new name 'algctx'.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15275)
2021-05-24 10:12:18 +10:00
Pauli
b3135f56a6 test: fix typo in comment in threadstest.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
2021-05-24 09:39:15 +10:00
Pauli
235776b2c7 test: add test case to reliably reproduce RAND leak during POST
The FIPS provider leaks a RAND if the POST is run at initialisation time.
This test case reliably reproduces this event.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
2021-05-24 09:39:15 +10:00
Dr. David von Oheimb
b6f0f050fd 80-test_cmp_http: Invert and correct the logic of success vs. failure exit
This makes the logic more intuitive and corrects the interpretation for NonStop.
Fixes #15386

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15402)
2021-05-22 14:31:36 +02:00
Dr. David von Oheimb
5771017d06 apps/cms.c: Correct -sign output and -verify input with -binary
Also add related warnings on irrelevant use of -nodetach and -content options.

Fixes #15347

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15358)
2021-05-22 14:28:51 +02:00
Pauli
862497a918 property: convert integers to strings properly.
The int64_t type was converted to int (truncation).
Negative values were not handled at all.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15396)
2021-05-22 15:30:26 +10:00
Richard Levitte
b54611922b test/params_conversion_test.c: fix the use of strtoumax and strtoimax on VMS
We do this by making them aliases for strtoull and strtoll, since long
long is the current largest integer that have this sort of routine on
VMS.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15366)
2021-05-22 07:23:47 +02:00
Richard Levitte
6251895ca8 Include "internal/numbers.h" in test programs using SIZE_MAX
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15366)
2021-05-22 07:23:47 +02:00
Dmitry Belyavskiy
819b94c0c0 HMAC doesn't work with a default digest
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15371)
2021-05-21 13:07:28 +02:00
Dr. David von Oheimb
ee56cec733 CMP test server: move apps/{,lib/}cmp_mock_srv.c and apps/{,include/}cmp_mock_srv.h
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15343)
2021-05-20 16:23:27 +02:00
Matt Caswell
0789c7d834 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15381)
2021-05-20 14:22:33 +01:00
Richard Levitte
0e5a4da4a8 test/evp_extra_test2.c: Try EVP_PKEY_export() with a legacy RSA key
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15293)
2021-05-20 12:57:22 +01:00
Matt Caswell
b1c053acda Ensure mirroring of properties works for subsequent updates
If the global properties are updated after a provider with a child libctx
has already started we need to make sure those updates are mirrored in
that child.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
2021-05-20 09:35:41 +01:00
Matt Caswell
18cb5c31e1 Test that properties are mirrored as we expect
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
2021-05-20 09:32:42 +01:00
Matt Caswell
ad8570a8b6 Add a test for converting a property list to a string
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
2021-05-20 09:29:30 +01:00
Shane Lontis
0050db7bb3 Test d2i_PrivateKey_bio() does not add errors to stack when decoding a X25519 key sucessfully.
This confirms that another merge has addressed this issue.

Fixes #14996

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15303)
2021-05-20 08:52:57 +01:00
Benjamin Kaduk
a0bbcb42a9 Test new SSL_new_session_ticket() functionality
Now that we can become "in init" directly after the call, test the
various scenarios where explicit SSL_do_handshake() calls can come
into play.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14817)
2021-05-19 14:56:08 -07:00
Dr. David von Oheimb
e34e91d7e5 danetest.c: Improve code formatting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
2021-05-19 20:15:26 +02:00
Dr. David von Oheimb
cf6cba90d5 80-test_cms.t: Disable new tests for binary input in Windows
This is a quick workaround for #15347.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15351)
2021-05-19 15:03:30 +02:00
Dr. David von Oheimb
6b83d032a6 apps/cms.c: Make -sign and -verify handle binary input
Fixes #8940

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12959)
2021-05-19 09:23:30 +02:00
Dr. David von Oheimb
9be5f9a869 Move ossl_sleep() to e_os.h and use it in apps
Fixes #15304

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15308)
2021-05-18 14:49:33 +02:00
Pauli
4547a71930 seal: make EVP_SealInit() library context aware
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
2021-05-18 13:24:41 +10:00
Pauli
c9cddf0542 test: conditionally exclude unused code for no-tls1.2 build
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15301)
2021-05-18 12:12:26 +10:00
Rich Salz
55373bfd41 Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Add -client_renegotiation flag support.  The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.

Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.

Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)
2021-05-17 10:53:30 +02:00
Shane Lontis
a1f63873ce Fix compiler error when using config option 'enable-acvp-tests'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15264)
2021-05-17 09:24:36 +10:00
Richard Levitte
b422ba3dda Adapt 80-test_cmp_http.t and its data for random accept ports
Fixes #14694

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15281)
2021-05-16 12:07:14 +02:00
Benjamin Kaduk
6dc56df26c Add extensive test coverage for SSL_get_negotiated_group()
This is nearly comprehensive, but we cannot exercise the functionality
for PSK-only TLS 1.3 resumption, since openssl talking to openssl will
always negotiate psk_dhe_ke.

Exercise both the TLS 1.3 and 1.2 cases, for initial handshakes
and resumptions, and for ECDHE and FFDHE.
Since RFC 7919 named groups (for FFDHE) are only supported for TLS 1.3,
the TLS 1.2 versions of those scenarios expect to get NID_undef since
the key exchange was not performed using a named group.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
2021-05-15 15:09:07 -07:00
Benjamin Kaduk
f89d3d698c move group lists out of test_key_exchange() in preparation for reuse
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
2021-05-15 15:09:07 -07:00
Benjamin Kaduk
75d4852090 Extend SSL_get_negotiated_group() tests for TLS 1.2
We don't implement RFC 7919 named groups for TLS 1.2, so we can
only test the ECDHE case for non-TLS-1.3.

Interestingly, though the test_key_exchange() routine claimed to
be exercising ffdhe2048 with TLS 1.2, the configured ciphers were
incompatible with DHE key exchange, so we ended up just using RSA
key transport and not doing an ephemeral key exchange at all.
Reconfigure the tests to actually exercise ephemeral key exchange
for both the EC and FF cases (even though we don't use the named
group information for the finite-field case).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
2021-05-15 15:09:07 -07:00
Benjamin Kaduk
c22ad9b64a Regenerate testsid.pem
Convert this file to the new format, that includes the kex_group
integer value.  This is needed in order for the round-trip conversion
test to return the same value as the initial input.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
2021-05-15 15:09:07 -07:00
Matt Caswell
5228271609 Load the default provider into the p_test provider later
Loading it earlier causes some of the later testing to pass when it should
fail and masked a bug.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15270)
2021-05-15 10:33:52 +01:00
Matt Caswell
a113826eac Fix a memleak on an error path in the pkcs12 test helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15269)
2021-05-15 11:39:50 +10:00
Dr. David von Oheimb
647a5dbf10 Add OSSL_ prefix to HTTP_DEFAULT_MAX_{LINE_LENGTH,RESP_LEN}
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
19f97fe6f1 HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.

For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.

If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.

This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.

Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.

Update the documentation and extend the tests accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Tomas Mraz
b4c4a2c688 Implement pem_read_key directly through OSSL_DECODER
Using OSSL_STORE is too heavy and breaks things.

There were also needed various fixes mainly for missing proper
handling of the SM2 keys in the OSSL_DECODER.

Fixes #14788

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15045)
2021-05-13 13:30:07 +02:00
Pauli
9a633a1c97 test: fix thread test config file problem
Force the thread test to use the configuration file via a command line arg.
Use the test library support for libctx creation.

Fixes #15243

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15256)
2021-05-13 14:22:20 +10:00
Shane Lontis
b98f752ec3 Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.

Fixes 'no-cached-fetch' build which uses export/import.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
2021-05-13 09:49:18 +10:00
Benjamin Kaduk
80c25611ab Update expected results for tls13kexmodes tests
One of the scenarios constructed in these tests was erroneously
producing successful handshakes until the previous commits, but should
have been failing.  Update our expected behavior to match the
specification requirements, and adjust the commentary slightly for
a test case relevant for the other preceding commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)
2021-05-12 09:11:48 -07:00
Dr. David von Oheimb
8f965908a5 HTTP client: Minimal changes that include the improved API
This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.

The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.

The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)
2021-05-12 15:11:51 +02:00
Tomas Mraz
6a2ab4a9c8 Allow arbitrary digests with ECDSA and DSA
Unless the FIPS security check is enabled we allow arbitrary digests
with ECDSA and DSA.

Fixes #14696

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15220)
2021-05-12 13:12:00 +02:00
Matt Caswell
5725ab8087 property: add test case for setting default user properties before fetching
Shamelessly culled from #15218.

Co-authored-by: Dr Paul Dale <pauli@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15222)
2021-05-12 18:20:03 +10:00
Dr. David von Oheimb
c6b7239072 80-test_cmp_http.t: Improve fuzzing exclusion pattern - fixup!
This now correctly fixes #14966.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15217)
2021-05-11 21:25:10 +02:00
Matt Caswell
fb9b3a7bce Add additional testing of child libctx/providers
Add a case where a provider explicitly loads a provider into a child
libctx where it does not already exist.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 15:03:13 +01:00
Matt Caswell
8c62707565 Add support for child provider to up_ref/free their parent
If the ref counts on a child provider change, then this needs to be
reflected in the parent so we add callbacks to do this.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:59:43 +01:00
Matt Caswell
3b85bcfa14 Add a test to check that child provider callbacks are working
Write a test to confirm that if a provider is unloaded/loaded into a
libctx then it is similarly unloaded/loaded from any child libctxs.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:59:43 +01:00
Matt Caswell
5442611dff Add a test for OSSL_LIB_CTX_new_child()
Check that we can create such a libctx and usable providers are loaded
into it.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:59:43 +01:00
Matt Caswell
f12a5690de Add the concept of a child OSSL_LIB_CTX
Add a child OSSL_LIB_CTX that will mirror the providers loaded into the
parent libctx. This is useful for providers that want to use algorithms
from other providers and just need to inherit the providers used by the
application.

Fixes #14925

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:56:55 +01:00
Matt Caswell
a16d21744d Add the ability for ex_data to have a priority
Where an object has multiple ex_data associated with it, then we free that
ex_data in order of priority (high priority first).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:56:55 +01:00
Dr. David von Oheimb
f925315203 Add convenience functions and macros for asymmetric key generation
Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)
2021-05-11 12:46:42 +02:00
Dmitry Belyavskiy
6dbb277627 Tests for creating req from PKCS8 keys with extra attrs
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15142)
2021-05-11 12:12:32 +02:00
Pauli
a7a7e6e3a6 Reduce the runtime/output from the gmdiff test
Reduce from 1e6 iterations to 1e3.  Add additional cases to cover the same
range although most intermediate values will be skipped.

Fixes #15185

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15202)
2021-05-11 18:15:06 +10:00
Shane Lontis
d29d7a7ff2 Fix i2d_PKCS8PrivateKey_nid_bio() regression.
This method ignores the nid and could end up saving out the private key unencrypted

In earlier alpha releases OSSL_num_encoders() returned 0 for this test
case, which then meant that the legacy path was run, and the key was
then correctly encrypted.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15152)
2021-05-10 13:23:50 +10:00
Daniel Bevenius
8be513ae46 Mark pop/clear error stack in der2key_decode_p8
This commit sets the error mark before calling d2i_X509_SIG
and clear it if that function call is successful.

The motivation for this is that if d2i_X509_SIG returns NULL then the
else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be
called. If d2i_X509_SIG raised any errors those error will be on the
error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it
returns successfully those errors will still be on the error stack.

We ran into this issue when upgrading Node.js to 3.0.0-alpha15.
More details can be found in the ref links below.

Refs: https://github.com/nodejs/node/issues/38373
Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15067)
2021-05-09 11:31:52 -07:00
Theo Buehler
e70abb8b4c Test oct2point for hybrid point encoding of (0, y)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15108)
2021-05-09 14:52:53 +03:00
Dr. David von Oheimb
ab9d1af955 80-test_cmp_http.t: Improve fuzzing exclusion pattern
Fixes #14966

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15158)
2021-05-08 15:01:06 +02:00
Dr. David von Oheimb
0a8a6afdfb Add quick one-shot EVP_Q_mac() and deprecation compensation decls for MAC functions
This helps compensating for deprecated functions such as HMAC()
and reduces clutter in the crypto lib, apps, and tests.
Also fixes memory leaks in generate_cookie_callback() of apps/lib/s_cb.c.
and replaces 'B<...>' by 'I<...>' where appropriate in HMAC.pod

Partially fixes #14628.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)
2021-05-08 14:35:03 +02:00
Pauli
0f4fb64785 apps/mac: Add digest and cipher command line options
Add -cipher and -digest as short forms of -macopt cipher: and -macopt digest:
respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)
2021-05-08 22:15:56 +10:00
Pauli
68f3fb0514 apps: remove initial newline from mac output
Fixes #13247

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)
2021-05-08 22:15:56 +10:00
Pauli
a1230dea4d apps: add mac, cipher and digest arguments to the kdf applet.
This adds -digest, -mac and -cipher which correspond to -kdfopt digest: and
-kdfopt mac: and -kdfopt cipher: respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15190)
2021-05-08 22:13:49 +10:00
Pauli
ced7df2638 test: add a provider load/unload cache flush test.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)
2021-05-07 23:53:18 +10:00
Jon Spillett
f71a745358 Fixes #14662. Return all EC parameters even for named curves
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15060)
2021-05-07 11:52:07 +02:00
Jon Spillett
592ea4ba94 Fixes #15070. Allow custom algorithm ID ASN.1 encoding for provided ciphers
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15130)
2021-05-07 11:00:54 +02:00
Tomas Mraz
bfe2fcc840 evp_extra_test: Avoid potential double free of params
Fixes #14916

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15135)
2021-05-06 17:01:05 +02:00
Matt Caswell
aff636a489 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15181)
2021-05-06 13:03:23 +01:00
Tomas Mraz
d105a24c89 Add some tests for -inform/keyform enforcement
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
Tomas Mraz
d382e79632 Make the -inform option to be respected if possible
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
Dr. David von Oheimb
284076982d APPS: Slightly extend and improve documentation of the opt_ API
Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
2021-05-05 20:48:20 +02:00
Benjamin Kaduk
6c0ac9b99f adapt tests to SSL_OP_LEGACY_SERVER_CONNECT change
The "bad DTLS" tests run into trouble due to the special behavior
for that "bad" version, and the SSL record tests need to set the
-legacy_server_connect flag to allow an SSLv2 ClientHello to work
against any TLS server (since SSLv2 ClientHello messages cannot
carry extensions as would be needed in order to negotiate the use
of the renegitiation_info extension).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
2021-05-05 08:13:51 -07:00
Pauli
6a38b09a7f mac: allow XOF MACs to be specified either via control or via the dedicated function
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15061)
2021-05-05 22:11:04 +10:00
Rich Salz
f7050588bc Add .includedir pragma
Also add a negative test, and fix typo's.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)
2021-05-05 13:11:35 +02:00
Dr. David von Oheimb
97b59744f2 cleanup where purpose is not needed in 25-test_verify.t
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Dr. David von Oheimb
eca4826a29 test/certs/setup.sh: Fix two glitches
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Dr. David von Oheimb
c774f4e50f update test/certs/ee-pathlen.pem to contain SKID and AKID
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Dr. David von Oheimb
4f449d90dd test/certs/setup.sh: structural cleanup
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Rich Salz
a485561b2e Fetch cipher-wrap after loading providers.
Use official (first) names for wrapping algorithms.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14182)
2021-05-05 09:46:56 +02:00
Shane Lontis
2b05439f84 Fix KMAC bounds checks.
Setting an output length higher than 8191 was causing a buffer overflow.
This was reported by Acumen (FIPS lab).

The max output size has increased to ~2M and it now checks this during set_parameters.

The encoder related functions now pass in the maximum size of the output buffer so they
can correctly check their size. kmac_bytepad_encode_key() calls bytepad twice in
order to calculate and check the length before encoding.

Note that right_encode() is currently only used in one place but this
may change if other algorithms are supported (such as TupleHash).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15106)
2021-05-05 17:39:27 +10:00
Dr. David von Oheimb
9520fe5f49 testutil/load.c: Add checks for file(name) == NULL
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15120)
2021-05-04 18:26:21 +02:00
Matt Caswell
93954ab050 Add a test for the public core bio API
Check that reading/writing to a core bio via BIO_new_from_core_bio()
works as expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Pauli
67cd43084c test: fix failure with FIPS and no-des configured.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15105)
2021-05-04 20:39:28 +10:00
Shane Lontis
38e12964a6 Fix no-fips-securitychecks test failure
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15091)
2021-05-01 13:09:07 +10:00
Tomas Mraz
b594a22717 SM2 signatures work correctly only with SM3 digests
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15074)
2021-04-30 15:15:54 +02:00
Pauli
38230e3011 acvp: fix the no-acvp_test build
A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15082)
2021-04-30 17:51:44 +10:00
Shane Lontis
e9d62da6c3 Fix CRL app so that stdin works.
Fixes #15031

The maybe_stdin needed to be passed to load_key_certs_crls().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:52 +10:00
Pauli
c7d848e220 remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Jon Spillett
b536880c45 Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Matt Caswell
d77ba503a2 Adjust ssl_test_new for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.

There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.

Fixes  #14956

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Matt Caswell
8ce390e139 Adjust sslapitest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
sslapitest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Matt Caswell
fdf312709a Adjust dtlstest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
dtlstest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Tomas Mraz
c404e4fab3 Add test case for openssl crl -noout -hash output
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15044)
2021-04-29 11:36:12 +02:00
Matt Caswell
e9b30d9f50 Test a Finished message at the wrong time results in unexpected message
We test that sending a Finished message instead of a ClientHello results
in an unexpected message error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14930)
2021-04-28 16:23:08 +01:00
Matt Caswell
98369ef25f Add a threading test for loading/unloading providers
Check that we don't see any threading issues when loading/unloading a
provider from multiple threads.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15010)
2021-04-28 15:51:10 +01:00
Dr. David von Oheimb
1751768cd1 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
2021-04-28 14:10:45 +02:00
Tomas Mraz
624359374b Skip test_fipsload when fips is disabled.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15027)
2021-04-28 12:06:08 +02:00
David Benjamin
cdf63a3736 Add X509 version constants.
The X509 version APIs return the numerical values of the version
numbers, which are one off from the names. This is a bit confusing.
Where they don't get it wrong (accidentally making an "X509v4"
certificate), callers tend to try commenting every call site to explain
the mismatch, including in OpenSSL itself.

Define constants for these values, so code can be self-documenting and
callers are nudged towards the right values.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14549)
2021-04-28 11:40:06 +02:00
Kevin Cadieux
d97adfda28 memleaktest with MSVC's AddressSanitizer
Disabling memleaktest under MSVC because leak detection is not a supported feature with MSVC's AddressSanitizer. Leaving ASan enabled in this case causes a test failure because the test suite is expecting the leak to be detected.

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14581)
2021-04-28 11:37:32 +02:00
Jon Spillett
e1491a2f15 Add testing for updated cipher IV
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15041)
2021-04-28 10:01:12 +02:00
Tomas Mraz
8365652287 Use "canonical" names when matching the output of the commands
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
2021-04-28 09:38:31 +02:00
Tomas Mraz
680dbd16dc Skip GOST engine tests in out of tree builds
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
2021-04-28 09:38:31 +02:00
Shane Lontis
e466dc3646 Test that we don't have a memory leak in d2i_ASN1_OBJECT.
Fixes #14667

Reworked test supplied by @smcpeak into a unit test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14938)

(cherry picked from commit 7c65179ad9)
2021-04-27 12:43:52 +02:00
Paul Kehrer
a938f0045e re-add pyca/cryptography testing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)
2021-04-27 19:09:03 +10:00
Shane Lontis
c85c5e1a53 Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().
The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14997)
2021-04-27 09:45:53 +10:00
Shane Lontis
f1ffaaeece Fixes related to separation of DH and DHX types
Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
2021-04-26 19:52:11 +02:00
Tomas Mraz
6c9bc258d2 Add type_name member to provided methods and use it
Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14898)
2021-04-26 12:05:05 +02:00
Richard Levitte
a70936a845 TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt
Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provider.
This was due to the flaw in evp_keymgmt_util_try_import() that meant
that even though the key was invalid for FIPS, it could still come
through, because the imported keydata wasn't cleared on import error.
With that flaw corrected, these few Derive stanzas start failing.

We mitigate this by making of "offending" Derive stanzas only
available with the default provider.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
2021-04-23 20:22:49 +02:00
Pauli
45e72d1f27 test: separate some DES based tests out to permit a no-des build to work
One of the KDFs and one of the MACs use DES as an underlying algorithm in some
tests.  Separate these out into their own files which are conditionally excluded.

Fixes #14958

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)
2021-04-23 11:27:58 +02:00
Pauli
e98a182e51 test: fix test_evp_kdf when DES is disabled.
Fixes #14958

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)
2021-04-23 11:27:58 +02:00
Pauli
582043dae7 Runchecker fix for the no-autoerrinit build
In this case, there was a slight different error output format that wasn't
being accounted for in the error test.

Fixes #14961

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14976)
2021-04-23 11:25:25 +02:00
Pauli
94dc4282c3 Runchecker: fix TLS curves test failure with no-tls1_3 option
The TLS curves test strong assumes that TLS 1.2 and TLS 1.3 are present.
It is only conditioned out if TLS 1.2 isn't.  This changes also conditions
it out if TLS 1.3 isn't present.

Fixes ##14965

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14978)
2021-04-23 11:13:30 +02:00
Pauli
da671c4184 Runchecker: fix no-ec2m build which was trying to validate the e2cm curves
The evp_extra_test program was trying to validate these curves when they were
not build.

Fixes #14959

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14977)
2021-04-23 11:11:03 +02:00
Tomas Mraz
5af6e154d0 Trivial shortcuts for EVP_PKEY_eq()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14942)
2021-04-23 10:48:20 +02:00
Tomas Mraz
64c609e71e test_sslextension: skip tests that cannot work with no-tls1_2
Fixes runchecker failure of no-tls1_2 build.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14955)
2021-04-22 17:48:07 +02:00
Tomas Mraz
1fac270501 Fix potential NULL dereference in OSSL_PARAM_get_utf8_string()
Fixes Coverity ID 1476283

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14928)
2021-04-22 16:46:20 +02:00
Matt Caswell
f5afac4bda Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)
2021-04-22 14:38:44 +01:00
MichaM
af9fb19a47 Fix typos
CLA: trivial

Signed-off-by: MichaM <contact-micha+github@posteo.de>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14879)
2021-04-22 11:16:35 +10:00
Richard Levitte
7aef200089 TEST: Adapt the EVP test
The EVP test didn't recognise ERR_R_UNSUPPORTED, now does

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Pauli
6bcbc36985 test: fix double free problems.
In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.

The same problem also happens at line 593 and line 609, which causes two double free bugs.

Bugs reported by @Yunlongs

Fixes 14916

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
2021-04-21 09:17:22 +10:00
Dr. David von Oheimb
1c0eede982 Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14128)
2021-04-20 10:47:24 +02:00
Tomas Mraz
cd0aca5320 Update krb5 module to latest release
Fixes #14902

Also add workaround of `sudo hostname localhost` for the
intermittent test failures seen in CI.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14872)
2021-04-19 11:46:39 -07:00
Matt Caswell
ee203a87ff Add a test for OSSL_LIB_CTX_set0_default
Also includes testing for OSSL_LIB_CTX_get0_global_default().

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:52:18 +01:00
Matt Caswell
57e7401fc5 Fix some TODO(3.0) occurrences in ssl/t1_lib.c
One was related to probing for the combination of signature and hash
algorithm together. This is currently not easily possible. The TODO(3.0)
is converted to a normal comment and I've raised the problem as issue
number #14885 as something to resolve post 3.0.

The other TODO was a hard coded limit on the number of groups that could
be registered. This has been amended so that there is no limit.

Fixes #14333

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14886)
2021-04-19 10:39:12 +01:00
Tanzinul Islam
96d4ec6724 Avoid more MSVC-specific C runtime library functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00
Tomas Mraz
a4afa6c1d0 Add test for the IV handling of DES based ciphers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14882)
2021-04-19 10:01:08 +02:00
Richard Levitte
a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)
2021-04-18 10:10:24 +02:00
Richard Levitte
42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked
Because of aliases, retrieved names won't always match one specific
string.  A safer way to check is to fetch the digest from the
retrieved name and check it's the expected one with the help of
EVP_MD_is_a().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)
2021-04-18 10:10:24 +02:00
Richard Levitte
6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually
When test cases were added with ADD_ALL_TESTS_NOSUBTEST(), all those
iteration verdicts were summarized as if it was one single case.  This
modification gets each iteration verdict displayed separately instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)
2021-04-18 10:10:23 +02:00
Richard Levitte
ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)
2021-04-18 10:10:23 +02:00
Rich Salz
f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD
Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch,
or via EVP_{CIPHER,MD}_meth_new.  Update EVP_{CIPHER,MD}_free to handle all
three origins. The flag is deliberately right before some function pointers,
so that compile-time failures (int/pointer) will occur, as opposed to
taking a bit in the existing "flags" field.  The "global variable" flag
is non-zero, so the default case of using OPENSSL_zalloc (for provider
ciphers), will do the right thing. Ref-counting is a no-op for
Make up_ref no-op for global MD and CIPHER objects

Deprecate EVP_MD_CTX_md().  Added EVP_MD_CTX_get0_md() (same semantics as
the deprecated function) and EVP_MD_CTX_get1_md().  Likewise, deprecate
EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add
EVP_CIPHER_CTX_get1_CIPHER().

Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common
evp_md_free_int() function.
Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common
evp_cipher_free_int() function.

Also change some flags tests to explicit test == or != zero. E.g.,
        if (flags & x) --> if ((flags & x) != 0)
        if (!(flags & x)) --> if ((flags & x) == 0)
Only done for those lines where "get0_cipher" calls were made.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)
2021-04-18 10:03:07 +02:00
Pauli
e494fac705 Fix naming for EVP_RAND_CTX_gettable functions.
Change:

    EVP_RAND_gettable_ctx_params -> EVP_RAND_CTX_gettable_params
    EVP_RAND_settable_ctx_params -> EVP_RAND_CTX_settable_params

Which brings them in line with the other similar functions for other algorithm
types.

Fixes #14880

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14893)
2021-04-17 18:22:13 +10:00
Pauli
34ed733396 SipHash: Fix CTRL API for the digest size.
Adds a mapping from "digestsize" to "size" for setting a param.

Fixes #14370

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14850)
2021-04-16 09:00:41 +10:00
Shane Lontis
a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14800)
2021-04-15 18:42:04 +02:00
Tomas Mraz
ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name
We use type elsewhere and documenting the 'first' in the
name of the call is a little bit superfluous making the
name too mouthful.

Also rename EVP_PKEY_typenames_do_all to
EVP_PKEY_type_names_do_all to keep the words separated by
underscore.

Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14868)
2021-04-15 17:38:19 +02:00
Tomas Mraz
85fcc3fb77 Remove keymgmt_copy function from the provider API
It is superceded by the keymgmt_dup.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)
2021-04-15 09:19:39 +02:00
Dr. David von Oheimb
b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)
2021-04-14 19:45:45 +02:00
Dr. David von Oheimb
cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)
2021-04-14 19:45:45 +02:00
Dr. David von Oheimb
c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)
2021-04-14 19:45:45 +02:00
Dr. David von Oheimb
f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14841)
2021-04-14 16:51:11 +02:00
Shane Lontis
46eee7104d Add domain parameter match check for DH and ECDH key exchange.
Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
2021-04-14 16:01:13 +10:00
Todd Short
feba11cf2e Handle set_alpn_protos inputs better.
It's possible to set an invalid protocol list that will be sent in a
ClientHello. This validates the inputs to make sure this does not
happen.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14815)
2021-04-13 12:29:37 +02:00
Shane Lontis
3fed27181a Add FIPS Self test for AES_ECB decrypt
Fixes #14807

Compliance with IG 9.4 requires that an inverse cipher function be
tested if one is implemented. Just running AES_GCM encrypt/decrypt does not meet this
requirement (Since only ECB, CBC, XTS, KW, KWP support the inverse
function during decryption mode).

Added a mode to the cipher test so that the AES_GCM only does an encrypt
and AES_ECB only does a decrypt. TDES still does both.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14825)
2021-04-13 13:06:37 +10:00
Matt Caswell
28fd895305 Remove the function EVP_PKEY_set_alias_type
OTC recently voted that EVP_PKEY types will be immutable in 3.0. This
means that EVP_PKEY_set_alias_type can no longer work and should be
removed entirely (applications will need to be rewritten not to use it).

It was primarily used for SM2 which no longer needs this call.
Applications should generate SM2 keys directly (without going via an EC
key first), or otherwise when loading keys they should automatically be
detected as SM2 keys.

Fixes #14379

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14803)
2021-04-12 11:47:24 +01:00
Matt Caswell
a3a54179b6 Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Fixes #13794

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
2021-04-12 11:32:05 +01:00
Tomas Mraz
4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit
This is necessary to keep compatibility with 1.1.1 implementation
of the CBC, OFB, and CFB mode ciphers.

Fixes #14704

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14811)
2021-04-12 09:49:09 +02:00
Shane Lontis
3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free().
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14785)
2021-04-12 16:55:30 +10:00
Shane Lontis
884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge().
These functions are prerequisites for implementing EVP_PKEY_todata().

OSSL_PARAM_dup() is required to make a deep copy of the exported
params (since the provider export() uses a OSSL_PARAM_BLD which throws away the
data after the call), and then use OSSL_PARAM_merge() to add some additional params
that can be passed to the EVP_PKEY_todata().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14785)
2021-04-12 16:55:29 +10:00
Pauli
810a169eb2 kmac: add long customisation string example
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14810)
2021-04-12 14:59:09 +10:00
Armin Fuerst
b1c908f421 apps: fix warning about size_t / int conversion
Windows builds show the following warning:
(..\apps\ca.c(2643): warning C4267: 'function': conversion
from 'size_t' to 'int', possible loss of data)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14453)
2021-04-09 16:20:47 +02:00
Christian Heimes
dfccfde065 Inherit hostflags verify params even without hosts
X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts.

Previously hostflags were only copied when at least one host was set.
Typically applications don't configure hosts on SSL_CTX. The change
enables applications to configure hostflags on SSL_CTX and have OpenSSL
copy the flags from SSL_CTX to SSL.

Fixes: https://github.com/openssl/openssl/issues/14579
Signed-off-by: Christian Heimes <christian@python.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14743)
2021-04-09 08:32:38 +10:00
Dr. David von Oheimb
4957d95208 PEM_X509_INFO_read_bio_ex(): Generalize to allow parsing any type of private key
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14647)
2021-04-08 15:18:58 +02:00
Dr. David von Oheimb
c1fd710297 d2i_PrivateKey{,_ex}() and PEM_X509_INFO_read_bio_ex(): Fix handling of RSA/DSA/EC private key
This is needed to correct d2i_PrivateKey() after it was changed by commit 576892d78f.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14647)
2021-04-08 15:18:58 +02:00
Matt Caswell
3c2bdd7df9 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14801)
2021-04-08 13:04:41 +01:00
Pauli
b7dedba8b1 test: add extra secure memory test case.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14782)
2021-04-08 18:31:10 +10:00
Pauli
a135dea4e0 test: fix problem with threads test using default library context.
Also add a new test that deliberately tests the default library context.

Fixes #14720

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14773)
2021-04-08 17:46:35 +10:00
Pauli
89f7ea045b test: fix coverity 1473234 & 1473239: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
2021-04-08 08:49:27 +10:00
Richard Levitte
41385f2708 test/recipes/02-test_errstr.t: Do not test negative system error codes
It's been deemed unlikely that these will end up in OpenSSL error
records, so we simply don't test them if they happen to be among the
error codes that perl has support for.

Fixes #14763

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14779)
2021-04-07 22:09:58 +02:00
Pauli
014498fff9 test: fix coverity 1475940: negative return
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14769)
2021-04-07 23:30:42 +10:00
Pauli
97ef45ea13 test: fix coverity 1475941: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14769)
2021-04-07 23:30:42 +10:00
Nan Xiao
493e78986f Fix potential double free in sslapitest.c
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14758)
2021-04-07 09:08:19 +10:00
Shane Lontis
e454a3934c Add a range check (from SP800-56Ar3) to DH key derivation.
Fixes #14401

Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)
2021-04-01 09:07:08 +10:00
Dr. David von Oheimb
2318379119 OSSL_parse_url(): Improve handling of IPv6 addresses
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
2021-03-31 19:53:05 +02:00
Dr. David von Oheimb
f7c4d86228 80-test_cmp_http.t: Add diagnostic info on starting/stopping mock server
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
2021-03-31 19:53:05 +02:00
Matt Caswell
c6b09ea0fe Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS
In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succeeds, and only
fails later during the key generation stage.

We fix that so that it fails early like it used to in 1.1.1.

Note that in 1.1.1 it fails with a -2 return code. That is not the case
in 3.0 and has not been addressed here (see #14442)

Fixes #14443

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14702)
2021-03-30 19:22:33 +02:00
David Benjamin
1368f0cdf5 Merge OFB encrypt and decrypt test vectors.
There's no point in specifying them separately, since they're the same.
Also the OFB-AES192.Decrypt vectors specified the wrong operation, so we
were running some encryption tests twice and missing some decryption
tests.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14625)
2021-03-30 19:10:10 +02:00
Pauli
92b3e62fdd test: fix coverity 1474468: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
2021-03-30 18:57:30 +02:00
Tomas Mraz
2145ba5e83 Implement EVP_PKEY_dup() function
Fixes #14501

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14624)
2021-03-28 16:38:57 +10:00
Pauli
808c63c5d0 test: add test case for X508_PUBKEY_dup() function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
2021-03-28 16:34:34 +10:00
Shane Lontis
ed2e5b612d Disable cmp_http test on AIX
AIX has permission problems of the form:

lsof: can't open /dev/mem: Permission denied
lsof: can't open /dev/kmem: Permission denied

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14692)
2021-03-28 12:38:52 +10:00
Richard Levitte
53eecb5de5 TEST: Cleanup test recipes
Name mixups cleared, and a few more test case result files that
arent't removed, making forensics on failed tests easier.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14505)
2021-03-27 09:03:55 +01:00
Tomas Mraz
bf5b37cedf Make the SM2 group the default group for the SM2 algorithm
Fixes #14481

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14684)
2021-03-26 16:11:09 +01:00
Tomas Mraz
cede07dc51 Remove the external BoringSSL test
Fixes #14424

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14682)
2021-03-26 14:24:06 +01:00
Pauli
8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
3352a4f6fa test: fix coverity 1451550: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
f47865156a test: fix coverity 1429210: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:02 +10:00
Pauli
b8cb90cdb6 test: fix coverity 1416888: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
0d2b8bd261 test: fix coverity 1414451: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Pauli
6a6844a219 test: fix coverity 1338157: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
2021-03-26 08:46:01 +10:00
Tomas Mraz
4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible
Use OSSL_DECODER to decode the PKCS8 data to create provided keys.

If that fails fallback to the legacy implementation.

Fixes #14302

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14659)
2021-03-25 15:24:00 +01:00
Matt Caswell
112580c27b Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
2021-03-25 09:48:08 +00:00
Pauli
66325793cc test: fix coverity 1451534: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
69fb52e028 test: fix coverity 1469427: impropery use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
51d1991ecd test: fix coverity 1454812: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
9ba18520ff test: fix coverity 1451574: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Pauli
fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
2021-03-24 09:12:43 +10:00
Jon Spillett
6511f686c2 endecode_test: Add file and line arguments to test callbacks
To improve debug information in case of test failures source
file and line arguments are added to test callbacks.

Fixes #14331

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14567)
2021-03-23 08:46:04 +01:00
Andrey Matyukov
c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)
2021-03-22 09:48:00 +00:00
Shane Lontis
251c48183b Fix DER reading from stdin for BIO_f_readbuffer
Fixes #14559

The intitial implementation of the gets() function tried using the next bio's gets() function.
For a file BIO this returned incorrect data for binary data containing 0x00.
Just buffering all data during gets() did not work however since some
applications open and close the bio multiple times when dealing with pem
files containing multiple entries.. This does not work
when reading from stdin unless the data if buffered one byte at a time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14599)
2021-03-22 09:07:36 +10:00
Pauli
c38048e793 sslapitest: fix problem in cleanup on failure path
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:33 +10:00
Pauli
f1619160c8 test: coverity 1469426 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
8f586f5bc1 test: coverity 1455749 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
337ace06b9 test: coverity 1455747 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
9b0f76e12f test: fix coverity 1470559: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
015b221a5f test: fix coverity 1455330, 1455332, 1455334, 1455342, 1455344 : resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
65bf029d49 test: fix coverity 1414449 & 1414471: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
c0cd48fcb9 test: fix coverity 1414445: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
316c8dafd4 test: fix coverity 1454040: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
743840d56f test: fix coverity 1451562: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
b573d0ceea test: fix coverity 1451553: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Richard Levitte
55d9ccca8e TEST: Clarify and adjust test/recipes/30-test_evp.t
There are a few test cases at the end of test/recipes/30-test_evp.t,
which are designed to check that loading DSA keys when DSA is disabled,
or SM2 keys when SM2 is disables fail in an understandable way.  These
needed a small adjustment.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00