Commit Graph

30609 Commits

Author SHA1 Message Date
Dr. David von Oheimb
2080134ee9 OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17160)
2021-12-03 11:57:47 +01:00
Dr. David von Oheimb
4ee464cf8e OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17160)
2021-12-03 11:57:47 +01:00
x2018
5fae09f3d8 s_cb.c: check the return value of X509_get0_pubkey()
Check is done to prevent wrong memory access by EVP_PKEY_get0_asn1()

Also fix wrong coding style in the s_cb.c file.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17176)
2021-12-02 15:15:02 +01:00
x2018
9d1a27051d check the return value of BN_dup() in rsa_lib.c:1248
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17168)
2021-12-02 09:51:16 +01:00
Dmitry Belyavskiy
07ba69483a Refactor: a separate func for provider activation from config
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17099)
2021-12-01 15:49:38 +01:00
Tomas Mraz
a632bfaa4e pvkkdf: Always reset buflen after clearing the buffer
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17164)
2021-12-01 12:33:01 +01:00
Tomas Mraz
d2217c88df various kdfs: Always reset buflen after clearing the buffer
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17165)
2021-11-30 11:52:10 +01:00
Dmitry Belyavskiy
29a27cb2c5 More detailed explanation how do engines work in 3.0
Related: #16868, #17081, #17107

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17115)
2021-11-30 09:42:04 +01:00
Dmitry Belyavskiy
d724da6938 No EtM for GOST ciphers in TLS 1.2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17150)
2021-11-29 16:26:15 +01:00
PW Hu
bc42cf51c8 Return -1 properly from do_X509_REQ_verify and do_X509_verify
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17001)
2021-11-29 13:50:18 +01:00
olszomal
6cb814de6f Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
2021-11-29 12:17:30 +10:00
Pauli
6d770c5ba3 doc: remove non-existent callbacks
These used to exist but were removed before release.
Updating the documentation was missed.

Fixes #17138

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17141)
2021-11-28 12:58:12 +10:00
Tom Cosgrove
6f87463b62 Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
When an integer value was specified, it was not being passed back via
the orig_p2 weirdness.

Regression test included.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17136)
2021-11-27 17:08:52 +10:00
Richard Levitte
23750f677e TEST: Enable and fix test_bn2padded() in test/bntest.c
This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default...  and forgotten.

A few simple changes to update it to the current API is all that was
needed to enable it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17133)
2021-11-26 17:02:28 +01:00
Dr. David von Oheimb
7a37fd09a8 BIO_push.pod: fix confusing text and add details on corner cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17086)
2021-11-26 14:29:02 +01:00
Bernd Edlinger
0a10825a00 Enable brainpool curves for TLS1.3
See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7485)
2021-11-26 06:45:19 +01:00
Allan Jude
8e22f9d6d9 Detect arm64-*-*bsd and enable assembly optimizations
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17084)
2021-11-26 10:40:58 +10:00
Matt Caswell
bc6d9c9395 Don't delete the doc/html directories when cleaning
The doc/html sub-dirs get created by Configure. Therefore they should
not be cleaned away by "nmake clean". Otherwise the following sequence
fails:

 perl Configure VC-WIN64A
 nmake clean
 nmake
 nmake install

Fixes #17114

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17128)
2021-11-26 10:27:55 +10:00
x2018
3e0441520b check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17124)
2021-11-25 16:07:53 +10:00
Pauli
01fde90eec doc: fix macro name
OSSL_STORE_INFO_X509 doesn't exist.  It should be OSSL_STORE_INFO_CERT.

Fixes #17121

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17125)
2021-11-25 16:04:05 +10:00
x2018
b9648f31a4 check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17113)
2021-11-25 12:03:11 +10:00
x2018
dc7e42c6a1 check the return value of OPENSSL_strdup to prevent potential memory access error
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17110)
2021-11-25 10:34:15 +10:00
Richard Levitte
946bc0e3ec Allow sign extension in OSSL_PARAM_allocate_from_text()
This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of buffer bits
if that is the case.  Everything else is already in place.

Fixes #17103

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
2021-11-24 19:18:19 +01:00
Richard Levitte
8585b5bc62 Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number
When the parameter definition has the data type OSSL_PARAM_UNSIGNED_INTEGER,
negative input values should not be accepted.

Fixes #17103

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
2021-11-24 19:18:19 +01:00
Richard Levitte
b556713a6f Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints
With arbitrary size ints, we get to know exactly how large the minimum
buffer must be.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
2021-11-24 19:18:19 +01:00
Tomas Mraz
8c86529fe1 Add test for copying uninitialized EVP_MD_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
2021-11-24 18:42:27 +01:00
Tomas Mraz
9ece8323ea EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts
Fixes #17117

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
2021-11-24 18:42:27 +01:00
Matt Caswell
3607b8ad8e Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)
2021-11-24 17:18:47 +00:00
Rami Khaldi
9567fd3819 x509: Return a nonzero exit code on error when checking ip/email/host
In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validation fails.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17022)
2021-11-24 11:37:49 +01:00
Allan Jude
c1dabe26e3 Fix detection of ARMv7 and ARM64 CPU features on FreeBSD
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.

OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17082)
2021-11-24 11:00:24 +01:00
Patrick Uiterwijk
0e9a265e42 Support different R_BITS lengths for KBKDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17063)
2021-11-24 11:02:53 +10:00
Richard Levitte
4db1df8e82 DOC: Add a few previously documented functions
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2.  In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.

This simply adds them back.

Fixes #17091

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17094)

(cherry picked from commit 1aa96159b0)
2021-11-23 19:34:19 +01:00
Tomas Mraz
5321333520 Add test for EVP_PKEY_sign_init_ex with RSA PSS padding
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
2021-11-23 15:15:43 +01:00
Tomas Mraz
eaae5d69eb rsa_signverify_init: Set the PARAMS after key is set
Also, default to unrestricted pss parameters until the key is set.

Fixes #17075

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
2021-11-23 15:15:32 +01:00
Richard Levitte
b33fb68a32 DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
2021-11-23 11:40:29 +01:00
Richard Levitte
db65eabefe Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
Adding documentation to that fact as well.

Fixes #17070

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
2021-11-23 11:40:29 +01:00
Bernd Edlinger
2595eef82c Add a test case for duplicate engine loading
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
2021-11-23 06:08:17 +01:00
Bernd Edlinger
e2571e02d2 Avoid loading of a dynamic engine twice
Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.

Fixes #17023

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
2021-11-23 06:08:16 +01:00
Dr. David von Oheimb
4599ea9fe3 Fix HTTP server port output and allow dynamic verbosity setting
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16061)
2021-11-22 15:38:39 +01:00
Peiwei Hu
40649e36c4 SSL_export_keying_material: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
a9ed63f1d1 BIO_set_indent: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
ac6568ecc6 BIO_set_prefix: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
a8f4cdd70c EVP_RAND_generate: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
7f608e4b1d asn1_item_embed_d2i: fix th return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
aba9943fef TXT_DB_write: fix the return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
0650ac437b Fix EVP_PKEY_decrypt return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:43:44 +01:00
Peiwei Hu
546b9f6b5c ossl_do_blob_header: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:42:47 +01:00
Peiwei Hu
7264068a15 BIO_gets: fix the incomplete return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
2021-11-22 14:42:47 +01:00
Dr. David von Oheimb
e7313323cc 02-test_errstr.t: print errorcodes in hex (rather than decimal) format
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)
2021-11-22 14:38:18 +01:00
Dr. David von Oheimb
3ae5528838 Make ERR_str_reasons in err.c consistent again with err.h
Fixes printing generic reason strings, e.g., 'reason(524550)' vs. 'passed an invalid argument'

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)
2021-11-22 14:38:18 +01:00