Commit Graph

27504 Commits

Author SHA1 Message Date
David von Oheimb
279b61d0ca apps/pkcs12: Retain test output files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/4930)
2020-11-19 11:36:02 +01:00
David von Oheimb
9c73e48a08 Minor cleanup of error output for various apps
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/4930)
2020-11-19 11:36:02 +01:00
David von Oheimb
c1097eecdf apps/ca: Minor code and doc cleanup
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/4930)
2020-11-19 11:36:02 +01:00
Richard Levitte
d7e498ac55 Deprecate RSA harder
This deprecates all functions that deal with the types RSA and RSA_METHOD

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13096)
2020-11-18 23:38:34 +01:00
Pauli
b24d6c335d Rename internal drbg_ functions so they have an ossl_ prefix.
These functions are: drbg_enable_locking(), drbg_get_ctx_params(),
drbg_lock(), drbg_set_ctx_params() and drbg_unlock().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:39:13 +10:00
Pauli
b68a947fd2 Rename SHA3 internal functions so they have an ossl_ prefix
These are: keccak_kmac_init(), sha3_final(), sha3_init(), sha3_reset() and
sha3_update().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:39:13 +10:00
Pauli
5687afdf03 rename sha1_ctrl to ossl_sha1_ctrl.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:39:13 +10:00
Pauli
1dc188ba0e Provide side RNG functions renamed to have an ossl_ prefix.
These are: prov_crngt_cleanup_entropy(), prov_crngt_get_entropy(),
prov_pool_acquire_entropy(), prov_pool_add_nonce_data(),
prov_rand_drbg_free() and prov_rand_drbg_new().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:39:12 +10:00
Pauli
893d3df972 rename mac_key_* to ossl_mac_key_*
mac_key_free(), mac_key_new(), mac_key_up_ref().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:38:58 +10:00
Pauli
572e6df7db rename md5_block_asm_data_order to ossl_md5_block_asm_data_order
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:38:58 +10:00
Pauli
627b73cc72 Rename md5_sha1_* ossl_md5_sha1_*
md5_sha1_init(), md5_sha1_update(), md5_sha1_final() and md5_sha1_ctrl().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)
2020-11-19 07:38:53 +10:00
Richard Levitte
3800cc6f4d DOC: Fix example in OSSL_PARAM_int.pod
This fixes an incorrect NULL check.

Fixes #11162

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13426)
2020-11-18 17:12:20 +01:00
Matt Caswell
f1d6670840 Swap to FIPS186-2 DSA generation outside of the FIPS module
Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2
in the default provider for backwards compatibility reasons.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)
2020-11-18 14:54:18 +00:00
Matt Caswell
c2bd8d2783 Swap to DH_PARAMGEN_TYPE_GENERATOR as the default outside of the FIPS module
The documentation claimed this was already the default but it wasn't. This
was causing the dhparam application to change behaviour when compared to
1.1.1

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)
2020-11-18 14:54:18 +00:00
Matt Caswell
d3d2c0dc68 Adapt ssltest_old to not use deprecated DH APIs
There are non-deprecated replacements so we should use those instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:54 +00:00
Matt Caswell
3105d84693 Extend the auto DH testing to check DH sizes
Check that the size of the DH parameters we select changes according to
the size of the certificate key or symmetric cipher (if no certificate).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:54 +00:00
Matt Caswell
b6ae56fd27 Add some additional test certificates/keys
Add certs with 1024, 3072, 4096 and 8192 bit RSA keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:53 +00:00
Matt Caswell
1b2a55ffa2 Add a CHANGES.md entry for the "tmp_dh" functions/macros
Describe the tmp_dh deprecations, and what applications should do instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:53 +00:00
Matt Caswell
33c39a0659 Add a test for the various ways of setting temporary DH params
We support a number of different ways of setting temporary DH params. We
should test that they all work correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:53 +00:00
Matt Caswell
0437309fdf Document some SSL DH related functions/macros
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:53 +00:00
Matt Caswell
1072041b17 Return sensible values for some SSL ctrls
Some ctrls were always returning 0 even if they were successful.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
13c453728c Only disabled what we need to in a no-dh build
no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quite so
much.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
163f6dc1f7 Implement a replacement for SSL_set_tmp_dh()
The old function took a DH as a parameter. In the new version we pass
an EVP_PKEY instead. Similarly for the SSL_CTX version of this function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
9912be1b33 Remove deprecated functionality from s_server
This will be added back in by a later commit

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
8b7df247b7 Disable the DHParameters config option in a no-deprecated build
This option calls SSL_set_tmp_dh() which does not exist in a no-deprecated
build. We need to implement an alternative.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
936d565768 Remove DH usage from tls_process_cke_dhe
We instead set the encoded public key directly in the EVP_PKEY object.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:52 +00:00
Matt Caswell
184280971c Remove DH usage in tls_construct_server_key_exchange()
We get DH related parameters directly from the EVP_PKEY instead of
downgrading to a DH object first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:51 +00:00
Matt Caswell
cb5a427acf Avoid the use of a DH object in tls_construct_cke_dhe()
There is no need for us to downgrade the EVP_PKEY into a DH object
for this function so we rewrite things to avoid it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:51 +00:00
Matt Caswell
1b2b475517 Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls
These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:51 +00:00
Matt Caswell
1ee22dc268 Convert TLS ServerKeyExchange processing to use an EVP_PKEY
Previously we were constructing a DH object and then assigning it to an
EVP_PKEY. Instead we construct an EVP_PKEY directly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:23 +00:00
Matt Caswell
091f6074c5 Convert TLS auto DH parameters to use EVP_PKEY
Previously a DH object was constructed and then assigned to an EVP_PKEY.
Instead we now construct the EVP_PKEY directly instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-18 14:14:22 +00:00
Richard Levitte
2b93900e28 DOC: Rewrite the section on reporting errors in doc/man3/ERR_put_error.pod
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)
2020-11-18 11:40:52 +01:00
Richard Levitte
e19c5a1064 CONF: Convert one last CONFerr() to ERR_raise()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)
2020-11-18 11:40:52 +01:00
Richard Levitte
01fe51578e Simplify util/err-to-raise
There's no need to enumerate the possible {NAME}err, as they have a
consistent pattern.  Also, this script should not be used on the
engines, as they have already converted appropriately.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)
2020-11-18 11:40:52 +01:00
Richard Levitte
b06e70b868 Really deprecate the old NAMEerr() macros
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)
2020-11-18 11:40:52 +01:00
Richard Levitte
bf57cab74b util/find-doc-nits: check podchecker() return value
From the Pod::Checker manual:

> RETURN VALUE
>        podchecker returns the number of POD syntax errors found or
>        -1 if there were no POD commands at all found in the file.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13416)
2020-11-17 23:12:02 +01:00
Richard Levitte
c7d32b6ba5 util/mkrc.pl: Make sure FILEVERSION and PRODUCTVERSION have four numbers
Partially fixes #13414

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13415)
2020-11-17 13:18:16 +01:00
David Carlier
ef2a44eb31 NetBSD build fix.
getentropy shows up wrongly as weak symbol whereas there is no support.

However NetBSD 10.0 will support getrandom.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13408)
2020-11-17 13:16:49 +01:00
Richard Levitte
ccbf3f90c4 DOC: Fixup the description of the -x509_strict option
POD commands must always be surrounded by blank lines

POD transformers read everything in paragraph mode.  The following
lines become *one* command, where the second line becomes part of the
text of the first, including the command itself.  In other words,
this:

    =item something
    =item something else

Translates to this in a man-page:

    something =item something else

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13412)
2020-11-16 10:03:04 +01:00
Shane Lontis
4605c5ab47 Fix dsa securitycheck for fips.
Fixes #12627

Changed security check for DSA verification to match SP800-131Ar2 when
the security strength is < 112.
Fixed compilation error when using config opt 'no-fips-securitychecks'
Removed TODO's from 20-test_cli_fips.t - there is no longer an TODO error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13387)
2020-11-16 17:21:57 +10:00
Shane Lontis
e557d46333 Add documentation for EVP_PKEY2PKCS8/EVP_PKCS82PKEY
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13388)
2020-11-16 17:16:18 +10:00
Shane Lontis
317b7c57e4 Fixup EVP-MAC-KMAC documentation
Fixes #13232

Added example that shows setup of XOF.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13385)
2020-11-16 16:56:11 +10:00
Daniel Bevenius
fce56f5b69 REF_PRINT: cast pointer to void to avoid warnings
Currently, when configuring OpenSSL and specifying the --strict-warnings
option there are failures like the following one:

crypto/bio/bio_lib.c: In function 'BIO_up_ref':
include/internal/refcount.h:169:25: error: format '%p' expects argument
of type 'void *', but argument 3 has type 'BIO *'
{aka 'struct bio_st *'} [-Werror=format=]
  169 |         fprintf(stderr, "%p:%4d:%s\n", b, b->references, a)
      |                         ^~~~~~~~~~~~~
crypto/bio/bio_lib.c:185:5:
note: in expansion of macro'REF_PRINT_COUNT'
  185 |     REF_PRINT_COUNT("BIO", a);
      |     ^~~~~~~~~~~~~~~
include/internal/refcount.h:169:27: note: format string is defined here
  169 |         fprintf(stderr, "%p:%4d:%s\n", b, b->references, a)
      |                          ~^
      |                           |
      |                           void *
cc1: all warnings being treated as errors

This commit adds casts to avoid the warnings.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13389)
2020-11-16 09:35:11 +10:00
Pauli
3084b9d316 Document the provider KDF API.
Fixes #11351

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13376)
2020-11-16 08:07:42 +10:00
Richard Levitte
e76a696273 test/endecoder_legacy_test.c: new test for legacy comparison
It checks that all of these functions have a corresponding
OSSL_ENCODER implementation, and that the output is the same:

- i2d_{TYPE}PrivateKey
- i2d_{TYPE}PublicKey
- i2d_{TYPE}params
- i2d_{TYPE}_PUBKEY
- PEM_write_bio_{TYPE}PrivateKey
- PEM_write_bio_{TYPE}PublicKey
- PEM_write_bio_{TYPE}Parameters
- PEM_write_bio_{TYPE}_PUBKEY

It also checks that all of these functions have a corresponding
OSSL_DECODER implementation, and that the decoding result matches:

- d2i_{TYPE}PrivateKey()
- d2i_{TYPE}PublicKey(),
- d2i_{TYPE}params(),
- d2i_{TYPE}_PUBKEY(),
- PEM_read_bio_{TYPE}PrivateKey()
- PEM_read_bio_{TYPE}PublicKey()
- PEM_read_bio_{TYPE}params()
- PEM_read_bio_{TYPE}_PUBKEY()

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13262)
2020-11-15 19:37:26 +01:00
Richard Levitte
efb4667f72 Fix SUPPORT.md for better readability
Most of the text was duplicated, and the second copy had better
section titles that made the intent more prominent.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13398)
2020-11-14 16:42:41 +01:00
Richard Levitte
322d56cd64 Fix a few github file references
https://github.com/openssl/openssl/blob/master/.github/SUPPORT.md ->
https://github.com/openssl/openssl/blob/master/SUPPORT.md

Fixes #13396

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13397)
2020-11-14 12:01:28 +01:00
Rich Salz
a18cf8fc63 Remove -C option from x509 command
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13384)
2020-11-13 14:45:22 +01:00
Rich Salz
1696b8909b Remove -C from dhparam,dsaparam,ecparam
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13384)
2020-11-13 14:45:22 +01:00
Richard Levitte
256d41d437 BIO: Undefine UNICODE in b_addr.c to get POSIX declaration of gai_strerror()
When UNICODE is defined, Windows headers push for WCHAR implementations,
which aren't compatible with POSIX declarations.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
2020-11-13 09:35:31 +01:00