Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3
The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.
instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails. This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively
Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)
This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).
Signed-off-by: Yi Li <yi1.li@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)
This is an alternative to #20893
Additionally this fixes also a possible issue in UI_UTIL_read_pw:
When UI_new returns NULL, the result code would still be zero
as if UI_UTIL_read_pw succeeded, but the password buffer is left
uninitialized, with subsequent possible stack corruption or worse.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20957)
Discovered during coverage testing.
Remove unneccesary check when using ossl_dh_get0_params() and
ossl_dsa_get0_params(). These point to addresses and can not fail
for any existing calls.
Make dsa keygen tests only available in the FIPS module - as they are
not used in the default provider.
Change ossl_ffc_set_digest() to return void as it cannot fail.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20359)
Coverage testing showed that ossl_ffc_params_fromdata() was not setting
OSSL_PKEY_PARAM_FFC_DIGEST_PROPS.
Adding a negative test also showed that ossl_ffc_params_copy() did not
do a shallow copy of the digest or digest property.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20385)
Test for #19736
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19761)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19656)
These functions pass a library content and prop query.
The i2d documentation related to these functions has been corrected since the bio and fp functions always return 0 or 1.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18427)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18254)
The private key for rsa, dsa, dh and ecx was being included when the
selector was just the public key. (ec was working correctly).
This matches the documented behaviour.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17200)
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes#15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
Using OSSL_STORE is too heavy and breaks things.
There were also needed various fixes mainly for missing proper
handling of the SM2 keys in the OSSL_DECODER.
Fixes#14788
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15045)
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.
Fixes 'no-cached-fetch' build which uses export/import.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
This method ignores the nid and could end up saving out the private key unencrypted
In earlier alpha releases OSSL_num_encoders() returned 0 for this test
case, which then meant that the legacy path was run, and the key was
then correctly encrypted.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15152)
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
This commit sets the error mark before calling old_priv_decode and if
old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the
errors are popped to the previously set mark.
The motivation for this is an issue we found when linking Node.js
against OpenSSL 3.0. Details can be found in the link below and the
test case provided in this commit attempts cover this.
Refs: https://github.com/danbev/learning-libcrypto#asn1-wrong-tag-issue
Refs: https://github.com/nodejs/node/issues/29817
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13073)
Really this test should go in evp_extra_test. However that doesn't
currently support a non-default libctx (with the "null" provider in the
default libctx). So (for now) we create evp_extra_test2.c
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)