Commit Graph

28266 Commits

Author SHA1 Message Date
Shane Lontis
32ab57cbb4 Fix external symbols related to ec & sm2 keys
Partial fix for #12964

This adds ossl_ names for the following symbols:

ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_*

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
2021-02-26 10:53:01 +10:00
Shane Lontis
5af02212a5 Fix external symbols related to dsa keys
Partial fix for #12964

This adds ossl_ names for the following symbols:

dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, dsa_check_pub_key, dsa_check_pub_key_partial,
dsa_do_sign_int, dsa_ffc_params_fromdata,
dsa_generate_ffc_parameters, dsa_generate_public_key,
dsa_get0_params, dsa_key_fromdata, dsa_new_with_ctx, dsa_pkey_method, dsa_sign_int

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
2021-02-26 10:50:30 +10:00
Shane Lontis
19dbb742cd Fix external symbols related to dh keys
Partial fix for #12964

This adds ossl_ names for the following symbols:

dh_new_by_nid_ex, dh_new_ex, dh_generate_ffc_parameters, dh_generate_public_key,
dh_get_named_group_uid_from_size, dh_gen_type_id2name, dh_gen_type_name2id,
dh_cache_named_group, dh_get0_params, dh_get0_nid,
dh_params_fromdata, dh_key_fromdata, dh_params_todata, dh_key_todata,
dh_check_pub_key_partial, dh_check_priv_key, dh_check_pairwise,
dh_get_method, dh_buf2key, dh_key2buf, dh_KDF_X9_42_asn1,
dh_pkey_method, dhx_pkey_method

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)
2021-02-26 10:50:30 +10:00
Shane Lontis
94553e85b6 Fix external symbols for bn
Partial fix for #12964

This adds ossl_ names for symbols related to bn_*

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14296)
2021-02-26 10:32:22 +10:00
Mark
2d96895122 Fix filename escaping in c_rehash
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14301)
2021-02-26 10:03:48 +10:00
Tomas Mraz
1cba86234a evp_extra_test: Do not manipulate providers in default context
Otherwise the with OPENSSL_TEST_RAND_ORDER following tests will
be broken. There is also no real need to do that.

Fixes #14070

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14305)
2021-02-25 17:55:58 +01:00
Tomas Mraz
8cdc3425af fake_random: Do not overwrite the callback on instatiation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14299)
2021-02-25 14:01:54 +01:00
Tomas Mraz
0c84139c98 Ensure that the fake rand is initialized
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14299)
2021-02-25 14:01:54 +01:00
jwalch
75de543635 Fix an integer overflow in o_time.c
If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow.

I think leaving offset_hms as an int is still safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14252)
2021-02-25 08:39:07 +10:00
Matt Caswell
5eb73cfb37 Add a test for a names_do_all function
Make sure that if we change the namemap part way through calling a
names_do_all function it still works.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)
2021-02-25 08:37:22 +10:00
Matt Caswell
d84f5515fa Don't hold a lock when calling a callback in ossl_namemap_doall_names
We don't want to hold a read lock when calling a user supplied callback.
That callback could do anything so the risk of a deadlock is high.
Instead we collect all the names first inside the read lock, and then
subsequently call the user callback outside the read lock.

Fixes #14225

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)
2021-02-25 08:37:22 +10:00
Richard Levitte
6be27456e1 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string()
OSSL_PARAM_BLD_push_utf8_string() was still setting the length in
bytes of the UTF8 string to include the terminating NUL byte, while
recent changes excludes that byte from the length.  It's still made to
add a NUL byte at the end of the string no matter what.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
2021-02-24 19:50:10 +01:00
Richard Levitte
af8bd1d835 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING
OSSL_PARAM_allocate_from_text() was still setting the length in bytes
of the UTF8 string to include the terminating NUL byte, while recent
changes excludes that byte from the length.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
2021-02-24 19:50:10 +01:00
Richard Levitte
a8eb71ad57 Allow the sshkdf type to be passed as a single character
This partially reverts commit 270a5ce1d9.

This also slightly modifies the way diverse parameters in are
specified in providers/fips/self_test_data.inc for better consistency.

Fixes #14027

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
2021-02-24 19:50:10 +01:00
Tomas Mraz
da9988e0f5 Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
2021-02-24 17:55:20 +01:00
Tomas Mraz
b300f1cb3d Fix missing EOL at the end of the rsa/build.info
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
2021-02-24 17:55:20 +01:00
Tomas Mraz
53cefef62b Remove inclusion of unnecessary header files
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
2021-02-24 17:55:20 +01:00
Tomas Mraz
7415ffe368 Use strcasecmp when comparing kdf_type
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
2021-02-24 17:55:20 +01:00
Tomas Mraz
861f265a40 speed: Drop deprecated <ALG>_options() calls
Also correction of some code format issues.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
2021-02-24 16:53:18 +01:00
Tomas Mraz
f3ccfc76fe speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa
Fixes #13909

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
2021-02-24 16:53:18 +01:00
Tomas Mraz
a89cd8d87c speed: Adapt digests and hmac to always use non-deprecated APIs
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
2021-02-24 16:53:18 +01:00
Tomas Mraz
ee1d7f1d25 speed: Drop code to handle platforms without SIGALRM
(except for Windows where a separate thread stops the looping)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
2021-02-24 16:53:18 +01:00
Daniel Bevenius
af9f2ee339 Fix typo in comment in DH_set0_pqg function
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14288)
2021-02-25 00:06:41 +10:00
Matt Caswell
81c15ed00b Test errors from a provider can still be accessed after unload
Providers can create errors that may refer to const strings within the
provider module itself. If the provider gets unloaded we need to be sure
that we can still access the errors in the error stack.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)
2021-02-24 12:13:38 +00:00
Matt Caswell
de4a88a979 Duplicate the file and func error strings
Errors raised from a provider that is subsequently unloaded from memory
may have references to strings representing the file and function that
are no longer present because the provider is no longer in memory. This
can cause crashes. To avoid this we duplicate the file and func strings.

Fixes #13623

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)
2021-02-24 12:13:38 +00:00
Pauli
b0001d0cf2 provider: add an unquery function to allow providers to clean up.
Without this, a provider  has no way to know that an application
has finished with the array it returned earlier.  A non-caching provider
requires this information.

Fixes #12974

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12974)
2021-02-24 21:24:36 +10:00
Pauli
8b3facd732 rand: note that locking needs to be explicitly enabled.
Fixes #13912

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14224)
2021-02-24 21:21:47 +10:00
Tomas Mraz
76e48c9d66 Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
The functions are not needed and require returning octet ptr parameters
from providers that would like to support them which complicates provider
implementations.

Fixes #12985

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14279)
2021-02-24 10:44:15 +01:00
Richard Levitte
10315851d0 X509: Refactor X509_PUBKEY processing to include provider side keys
When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY
structure, the corresponding EVP_PKEY is automatically added as well.
This used to only support our built-in keytypes, and only in legacy
form.

This is now refactored by making The ASN1 implementation of the
X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation
of the basic support routines.  Specifically, the d2i routine will do
what was done in the callback before, and try to interpret the input
as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER.

Fixes #13893

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14281)
2021-02-24 10:17:14 +01:00
Benjamin Kaduk
ce0b307ea0 Remove disabled TLS 1.3 ciphers from the SSL(_CTX)
In ssl_create_cipher_list() we make a pass through the ciphers to
remove those which are disabled in the current libctx.  We are
careful to not include such disabled TLS 1.3 ciphers in the final
consolidated cipher list that we produce, but the disabled ciphers
are still kept in the separate stack of TLS 1.3 ciphers associated
with the SSL or SSL_CTX in question.  This leads to confusing
results where a cipher is present in the tls13_cipherlist but absent
from the actual cipher list in use.  Keep the books in order and
remove the disabled ciphers from the 1.3 cipherlist at the same time
we skip adding them to the active cipher list.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12037)
2021-02-23 16:18:41 -08:00
Richard Levitte
6eb7c748d1 make update
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14292)
2021-02-23 23:07:15 +01:00
Richard Levitte
51d058cd94 appveyor.yml: clarify conditions for building the plain configuration
The "plain" configuration is only meant to be built for an '[extended tests]'
commit, or on the master branch.  This isn't at all clear from the
scripts, and furthermore, we "skip" the plain configuration by running
the OpenSSL configuration script...  and then nothing more.

Instead, we use AppVeyor configuration issues to specify when and when
not to build the "plain" configuration, and leave it to the scripts to
do the right thing using only $env:EXTENDED_TESTS.

Fixes #7958

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13537)
2021-02-23 19:08:39 +01:00
Richard Levitte
4f6aeabd65 make update
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)
2021-02-23 18:24:28 +01:00
Richard Levitte
7b9f8995f4 Generate doc/build.info with 'make update' rather than on the fly
doc/build.info was essentially generated on the fly while running
Configure, something that takes a huge amount of time on slower file
systems (such as Windows).

Instead, we generate it with 'make update', saving the user from
having to wait for too long, at the small price for developers to have
to run 'make update' whenever they write a new manual file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)
2021-02-23 18:24:28 +01:00
Pauli
1263154064 changes: note the deprecation of RAND_METHOD APIs
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
299f5ff3b5 provider: add option to load a provider without disabling the fallbacks.
Add an argument to PROVIDER_try_load() that permits a provider to be
loaded without changing the fallback status.  This is useful when an
additional provider needs to be loaded without perturbing any other setup.
E.g. adding mock providers as part of unit testing.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
332a245c04 test: update tests to use the fake random number generator
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
d994ce1205 test: make the DRBG test work without RAND_METHOD support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
b3ab537b3a test: add framework for generic fake random number generator
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
9c6ee56318 rand: add DRBG/seed setting functions
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
f626c3ffae rand: allow lock/unlock functions to be absent
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
786b13fa77 RAND_METHOD deprecation: code changes
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:41 +10:00
Pauli
de2ea978b5 RAND_METHOD deprecation: fuzzer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:13 +10:00
Pauli
0a89ae97d9 RAND_METHOD deprecation: tests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:13 +10:00
Pauli
ac60c84fc4 RAND_METHOD deprecation: documentation
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-23 23:24:13 +10:00
Richard Levitte
f5b00834dd EVP: Adapt the EC_KEY specific EVP_PKEY_CTX setter / getter functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
2021-02-23 13:41:48 +01:00
Richard Levitte
bbf4dc96fc EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted
It would check the keytype and optype before determining if it even
supported the ctrl command number.  This turned out to be disruptive,
so we make it check that it supports the request ctrl command number
first.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
2021-02-23 13:41:48 +01:00
Richard Levitte
13f91a7245 EVP: Adapt the RSA specific EVP_PKEY_CTX setter / getter functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
2021-02-23 13:41:48 +01:00
Richard Levitte
df4592cbec EVP: Adapt the DH specific EVP_PKEY_CTX setter / getter functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
2021-02-23 13:41:48 +01:00
Richard Levitte
5524580b5c EVP: Adapt the EVP_PKEY_CTX ctrl functions
legacy_ctrl_to_param() and legacy_ctrl_str_to_param() are now
replaced with calls to evp_pkey_ctx_ctrl_to_param() and
evp_pkey_ctx_ctrl_str_to_param().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
2021-02-23 13:41:48 +01:00