Commit Graph

31310 Commits

Author SHA1 Message Date
Tomas Mraz
336d92eb20 Enable setting SSL_CERT_FLAG_TLS_STRICT with ssl config
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17989)
2022-06-03 13:22:42 +10:00
Tomas Mraz
b7873f92b0 CI: Add enable-quic to some of the builds
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:18 +10:00
Tomas Mraz
08e4901298 Add a test_ssl_new testcase
This requires some code being pulled into the empty protocol
implementation so the state machinery works.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:18 +10:00
Tomas Mraz
e44795bd5d First working empty protocol test
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:18 +10:00
Tomas Mraz
99e1cc7bca Add empty implementations of quic method functions
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:17 +10:00
Tomas Mraz
770ea54b58 Add OSSL_QUIC methods to headers and manual pages
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:17 +10:00
Tomas Mraz
30b013291a Configure: Add disablable for QUIC, disabled by default
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18307)
2022-06-03 12:07:17 +10:00
Nikolas
30adf6d209 Revert unnecessary PKCS7_verify() performance optimization
It appears that creating temporary read-only mem BIO won't increase performance significally
anymore. But it increases PKCS7_verify() complexity, so should be removed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16590)
2022-06-02 18:41:49 +02:00
slontis
9510661400 Add VERSIONINFO resource to legacy provider if it is not builtin
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)
2022-06-02 11:09:10 -04:00
slontis
18f0870d39 Add Windows VERSIONINFO resource to fips provider dll.
Fixes #18388

This just looks like an omission, as this is added to libcrypto and libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)
2022-06-02 11:09:10 -04:00
Peiwei Hu
48b571fe77 Fix the checks of BIO_get_cipher_status
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
e85bef981c Fix the checks of EVP_PKEY_param_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
5755c11fd6 Fix the checks of UI_add_input_string
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
babc818c3f Fix the checks of EVP_PKEY_private_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
bba14c6e28 Fix the checks of EVP_PKEY_public_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
d016758706 Fix the checks of EVP_PKEY_pairwise_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
92d0d7ea9b Fix the checks of EVP_PKEY_check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Peiwei Hu
c2f7614fb7 Fix the checks of RAND_bytes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)
2022-06-02 10:36:56 -04:00
Tomas Mraz
163bf682fd CTLOG_new_ex: Fix copy&paste error when setting propq
Fixes #18431

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18432)
2022-06-02 12:08:12 +02:00
Zhou Qingyang
b9a86d5dd8 Fix possible null pointer dereference of evp_pkey_get_legacy()
evp_pkey_get_legacy() will return NULL on failure, however several
uses of it or its wrappers does not check the return value of
evp_pkey_get_legacy(), which could lead to NULL pointer dereference.

Fix those possible bugs by adding NULL checking.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17967)
2022-06-02 12:06:08 +02:00
Matt Caswell
c4ed6f6f0e Don't call ossl_provider_free() without first setting refcnt
The function ossl_provider_free() decrements the refcnt of the
provider and frees it if it has reached 0. This only works if the
refcnt has already been initialised. We must only call
ossl_provider_free() after this initialisation - otherwise it will fail
to free the provider correctly.

Addresses the issue mentioned here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138741857

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18417)
2022-06-02 10:31:12 +01:00
Matt Caswell
b4be10dfcd Fix a memory leak is ossl_provider_doall_activated
If the callback fails then we don't correctly free providers that were
already in our stack and that we up-refed earlier.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18413)
2022-06-02 10:31:12 +01:00
Matt Caswell
da31939763 Fix another decoder mem leak on an error path
If pushing the decoder onto a stack fails then we should free the ref
we just created.

Found due to the error report here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138205688

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18411)
2022-06-02 10:31:12 +01:00
Matt Caswell
9ec9b968f9 Fix a decoder mem leak on an error path
If an error condition occurs then the the decoder that was up-refed in
ossl_decoder_instance_new can be leaked.

Found due to the error report here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138205688

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18410)
2022-06-02 10:31:12 +01:00
Peiwei Hu
2cba2e160d Fix the checks of EVP_PKEY_CTX_set/get_* functions
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)
2022-06-02 11:06:41 +02:00
Peiwei Hu
00d5193b68 Fix the check of evp_pkey_ctx_set_params_strict
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)
2022-06-02 11:06:41 +02:00
Peiwei Hu
7263a7fc3d Fix the checks of EVP_PKEY_CTX_get/set_rsa_pss_saltlen
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)
2022-06-02 11:06:35 +02:00
Peiwei Hu
56876ae952 Fix the erroneous checks of EVP_PKEY_CTX_set_group_name
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)
2022-06-02 11:06:35 +02:00
Jiuhai Zhang
1c5a4e3b5e Fix code format: BLOCK_CIPHER_custom
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18412)
2022-06-02 15:21:36 +10:00
Ladislav Marko
70ed3046c5 doc: Fix keymgmt functions parameters
CLA: trivial

Make OSSL_FUNC_keymgmt_import and OSSL_FUNC_keymgmt_export documentation correspond to core_dispatch.h signatures

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18423)
2022-06-01 17:16:17 +02:00
Tomas Mraz
770aea88c3 Update expired SCT issuer certificate
Fixes #15179

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18444)
2022-06-01 15:21:53 +02:00
Hugo Landau
ef7a9b44f0 Make OSSL_LIB_CTX_load_config thread safe
Fixes #18226.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18331)
2022-06-01 09:00:41 +01:00
Pauli
8a66b2f9fc changes: add note saying the locale based strcasecmp has been replaced
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18389)
2022-06-01 11:18:46 +10:00
Dr. David von Oheimb
3b7398843c OSSL_trace_enabled.pod and OSSL_trace_set_channel.pod: improve doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18386)
2022-05-30 22:43:44 +02:00
Dr. David von Oheimb
e8fdb06035 http_client.c: Dump response on error when tracing is enabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18386)
2022-05-30 22:43:44 +02:00
Samuel Lee
3c58d44749 Move types.h #undefs for wincrypt.h compatibility
+ Always undef the symbols that may have been #define-d
  by wincrypt.h after the first inclusion of types.h to
  avoid errors from wincrypt.h symbols being used to
  compile OpenSSL code
+ Also need to remove #pragma once for this approach to work
+ Define WINCRYPT_USE_SYMBOL_PREFIX to enable wincrypt
  symbol prefix at some point in future

Fixes #9981

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/18131)
2022-05-30 07:19:14 +02:00
Bernd Edlinger
128d1c3c0a Fix visual glitch in non-verbose test output
This fixes a glitch in the non-verbose test output
$ make test
[...]
80-test_ciphername.t .... ok
80-test_cmp_http.t ...... 5/?
80-test_cmp_http.t ...... ok   611
80-test_cms.t ........... ok
80-test_cmsapi.t ........ ok

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18401)
2022-05-28 17:02:55 +02:00
Todd Short
eec204f4b1 Make running individual ssl-test easier
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18407)
2022-05-27 14:17:29 -04:00
Tomas Mraz
abe90105ba Check that UnsafeLegacyServerConnect option exists
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)
2022-05-27 08:47:31 +02:00
Tomas Mraz
d1b3b67413 The -no_legacy_server_connect option applies to client
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)
2022-05-27 08:47:31 +02:00
Tomas Mraz
65b2bb9ca0 Actually implement UnsafeLegacyServerConnect as documented
Fixes #18295

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)
2022-05-27 08:47:31 +02:00
Richard Levitte
42b4a8ab96 Configurations/gentemplate.pm: Generate generators too, when necessary
A generator in a `GENERATE[generated]=generator` build.info statement may
itself be generated.  That needs to be taken into account.

This was always meant to be, but we missed the spot, for lack of use cases.
Now we have one.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)
2022-05-27 08:10:49 +02:00
Tomas Mraz
db24ed5430 Generate the preprocessed .s files for chacha and poly 1305 on ia64
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)
2022-05-27 08:10:49 +02:00
Tomas Mraz
debd921006 Revert "Use .s extension for ia64 assembler"
This reverts commit 6009997abd.

The .s extension is incorrect as the assembler files contain
preprocessor directives.

Fixes #18259

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)
2022-05-27 08:10:49 +02:00
Tom Hughes
737e849fd9 Don't include sys/select.h on HP-UX as it doesn't exist
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18395)
2022-05-27 08:05:48 +02:00
Hugo Landau
416d0a638c QUIC wire format support
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18382)
2022-05-27 08:00:52 +02:00
Peiwei Hu
1aef2c10f1 Fix the check of UI_method_set_ex_data
UI_method_set_ex_data returns 0 and 1 instead of  negative numbers.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)
2022-05-27 07:57:43 +02:00
Peiwei Hu
f15e3f3aa9 Fix the incorrect checks of EVP_CIPHER_CTX_rand_key
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)
2022-05-27 07:57:43 +02:00
Peiwei Hu
8d9fec1781 Fix the incorrect checks of EVP_CIPHER_CTX_set_key_length
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)
2022-05-27 07:57:43 +02:00
Peiwei Hu
7e5e91176b Fix the defective check of EVP_PKEY_get_params
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18367)
2022-05-26 11:48:48 +10:00