Commit Graph

28022 Commits

Author SHA1 Message Date
Dr. David von Oheimb
63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value'
Add internal asn1_time_print_ex() that can return success on invalid time.
This is a workaround for inconsistent error behavior of ASN1_TIME_print(),
used in X509_print_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)
2021-01-20 15:55:58 +01:00
Dr. David von Oheimb
b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)
2021-01-20 15:55:58 +01:00
Dr. David von Oheimb
9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)
2021-01-20 15:53:47 +01:00
Jon Spillett
3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters
Needed to be able to set the libctx and propq.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)
2021-01-20 13:10:49 +01:00
Jon Spillett
ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)
2021-01-20 13:10:49 +01:00
Dr. David von Oheimb
07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()
Also improve list layout of some comments.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13895)
2021-01-20 11:08:35 +01:00
Shane Lontis
3e878d924f Remove pkey_downgrade from PKCS7 code
Fixes #12991

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13435)
2021-01-20 15:35:26 +10:00
Dr. David von Oheimb
c972577684 util/check-format.pl: Minor improvements of whitespace checks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13710)
2021-01-19 17:23:39 +01:00
Rich Salz
83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx
Deprecations made:
    OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
    OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
    OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
    OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
    OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
    OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
    OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
    OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
    OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
    OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio

Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline.  Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio.  Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod

Fixes #12234

Co-authored-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13742)
2021-01-19 11:13:15 +01:00
Richard Levitte
fee0af0863 DOCS: Fix the last few remaining pass phrase options references
There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.

Fixes #13883

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13885)
2021-01-19 11:09:03 +01:00
Kurt Roeckx
47b784a41b Fix memory leak in mac_newctx() on error
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13702)
2021-01-18 15:26:29 +01:00
Shane Lontis
038f4dc68e Fix PKCS7 potential segfault
As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)
2021-01-18 15:01:26 +01:00
Shane Lontis
84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
Fixes #13624

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)
2021-01-18 15:01:26 +01:00
Tomas Mraz
0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.

Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.

Fixes #13411

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13870)
2021-01-18 14:27:44 +01:00
Michael Baentsch
3aff5b4bac Update SERVER_HELLO_MAX_LENGTH
Update constant to maximum permitted by RFC 8446

Fixes #13868

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13874)
2021-01-18 09:06:34 +00:00
Dr. David von Oheimb
ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
2021-01-16 11:29:43 +01:00
Dr. David von Oheimb
dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
2021-01-16 11:29:43 +01:00
Dr. David von Oheimb
ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
2021-01-16 11:29:43 +01:00
Jon Spillett
2c04b34140 Allow EVP_PKEY private key objects to be created without a public component
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13855)
2021-01-15 17:24:41 +01:00
Richard Levitte
39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c
OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)
2021-01-15 11:19:25 +01:00
Richard Levitte
3f6e891d42 Fix crypto/des/build.info
!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a.  Use !$disabled{des} instead.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)
2021-01-15 11:19:25 +01:00
Rich Salz
e604b7c915 Document openssl thread-safety
Also discuss reference-counting, mutability and safety.

Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13788)
2021-01-15 10:51:51 +01:00
Pauli
975aae76db Remove unused DRBG tests.
The DRBG known answer tests are performed by evp_test and the old vectors
are not used.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13867)
2021-01-15 19:31:21 +10:00
Daniel Bevenius
0434f9841d Correct typo in rsa_oaep.c
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13861)
2021-01-15 10:02:36 +01:00
Michael Baentsch
3bc061eb0a Enhance default provider documentation
Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.

Fixes #13844

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13859)
2021-01-14 17:33:47 +00:00
Matt Caswell
b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code
When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. However only one of those
will get added to the global evp method store. The one that "lost" the
race to add the method to the global evp method store ended up with the
fetch call returning NULL, instead of returning the method that was
already available.

Fixes #13682

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
7dd2cb5693 Fix an issue in provider_activate_fallbacks()
The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock is
required instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
b457c8f514 Extend the threads test to add simple fetch from multi threads
Issue #13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
f5a50c2a07 Enable locking on the primary DRBG when we create it
The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling that locking
lazily when we attempted to obtain one of the child DRBGs. Part of the
process of enabling the lock, is to create the lock. But if we create the
lock lazily then it is too late - we may race with other threads where each
thread is independently attempting to enable the locking. This results
in multiple locks being created - only one of which "sticks" and the rest
are leaked.

Instead we enable locking on the primary when we first create it. This is
already locked and therefore we cannot race.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()
The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and therefore we need
to make sure we take the lock before doing so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
c25a1524aa Lock the provider operation_bits
The provider operation_bits array can see concurrent access by multiple
threads and can be reallocated at any time. Therefore we need to ensure
that it is appropriately locked.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
886ad0045b Document the core_thread_start upcall
The core_thread_start upcall previously had a placeholder in the docs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
ae95a40e8d Add a test for performing work in multiple concurrent threads
We test both the default provider and the fips provider

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Matt Caswell
f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module
The FIPS implementation of the ossl_ctx_thread_stop function needs to
use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was
assuming that these are the same thing (which was true at one point
during development) - but that is no longer the case. The fix is to
get the OSSL_LIB_CTX out of the provctx.

Fixes #13469

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)
2021-01-14 17:30:46 +00:00
Dr. David von Oheimb
c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one
Also point out in the documenting comment that a non-expired issuer is preferred.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13805)
2021-01-14 14:34:00 +01:00
Richard Levitte
f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13846)
2021-01-14 11:37:52 +01:00
Dmitry Belyavskiy
4369a882a5 Skip BOM when reading the config file
Fixes #13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13857)
2021-01-14 11:20:10 +01:00
David Carlier
5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update.
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13650)
2021-01-14 08:34:38 +00:00
David Carlier
b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13821)
2021-01-14 08:27:14 +00:00
Richard Levitte
879365e6d4 Make header references conform with man-pages(7) in all manuals
Details from man-pages(7) that are used:

   Formatting conventions (general)

       ...
       Filenames (whether pathnames, or references to header files) are always
       in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐
       cluded files are in bold (e.g., #include <stdio.h>).  When referring to
       a standard header file include, specify the header file  surrounded  by
       angle brackets, in the usual C way (e.g., <stdio.h>).
       ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13843)
2021-01-13 23:39:59 +01:00
Richard Levitte
0f2380066d Make the OSSL_trace manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13842)
2021-01-13 23:36:52 +01:00
Richard Levitte
2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13845)
2021-01-13 23:34:56 +01:00
Richard Levitte
ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13847)
2021-01-13 23:33:16 +01:00
Richard Levitte
ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13849)
2021-01-13 23:31:40 +01:00
Richard Levitte
b91f41daba Make the OSSL_PARAM manual conform with man-pages(7)
Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13848)
2021-01-13 23:29:30 +01:00
Tomas Mraz
8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key
Same for chacha20-poly1305.

The test_cipher_reinit and test_cipher_reinit_partialupdate is modified
to test this case of cipher context reinitialization.

Fixes #13064

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13850)
2021-01-13 18:04:28 +01:00
Dr. David von Oheimb
2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-13 11:53:16 +01:00
Dr. David von Oheimb
04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-13 11:53:15 +01:00
Dr. David von Oheimb
0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-13 11:53:15 +01:00
Dr. David von Oheimb
73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-13 11:53:15 +01:00