Commit Graph

30276 Commits

Author SHA1 Message Date
Richard Levitte
3dd74e21fa Fix a few tests that fail on VMS
In one spot, files aren't properly closed, so the sub-process program
that's supposed to read them can't, because it's locked out.

In another spot, srctop_file() was used where srctop_dir() should be
used to properly format a directory specification.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16518)

(cherry picked from commit 7364545e07)
2021-09-07 10:51:54 +02:00
Richard Levitte
6929c8fb5b Configuration: support building for OpenVMS for x86_64
OpenVMS for x86_64 is currently out on a field test.  Building
programs for it is currently done with cross compilation on Itanium.
The cross compilation tools are made available by running a script,
which makes cross-compilation variants of most commands available, and
adds the cross-compilation C compiler XCC.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16498)
2021-09-06 18:42:01 +10:00
Richard Levitte
d4458e59f6 test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files
Fixes #16224

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:51 +02:00
Richard Levitte
0195cdd28f ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output
Since EncryptedPrivateKeyInfo is a recognised structure, it's
reasonable to think that someone might want to specify it.

To be noted is that if someone specifies the structure PrivateKeyInfo
but has also passed a passphrase callback, the result will still
become a EncryptedPrivateKeyInfo structure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:51 +02:00
Richard Levitte
602bfb8b98 Adjust test/endecoder_test.c
The protected tests need to specify the structure EncryptedPrivateKeyInfo
rather than PrivateKeyInfo, since that's the outermost structure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:51 +02:00
Richard Levitte
821b3956ec OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs
When the user expects to load a certificate or a CRL through the
OSSL_STORE loading function, the 'file:' implementation sets the
corresponding structure names in the internal decoder context.
This is especially geared for PEM files, which often contain a mix of
objects, and password prompting should be avoided for objects that
need them, but aren't what the caller is looking for.

Fixes #16224

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:50 +02:00
Richard Levitte
98408852c1 PEM to DER decoder: Specify object type and data structure more consistently
The data structure wasn't given for recognised certificates or CRLs.
It's better, though, to specify it for those objects as well, so they
can be used to filter what actually gets decoded, which will be
helpful for our OSSL_STORE 'file:' scheme implementation.

Fixes #16224

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:50 +02:00
Richard Levitte
73dd5d67c5 DECODER: check the first decoded structure name against user given structure
In a chain of decoders, the first that specifies an input structure
gets it compared with the structure specified by the user, if there is
one.  If they aren't the same, that decoder is skipped.

Because the first structure can appear anywhere along a chain of
decoders, not just the decoders associated with the resulting OpenSSL
type, the code that checked the structure name when building up the
chain of decoders is removed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
2021-09-05 21:34:50 +02:00
slontis
d7b5f06ede Add KEM dupctx test
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
2021-09-03 12:31:59 +02:00
slontis
21a0d9f3ed Fix dh dupctx refcount error
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
2021-09-03 12:31:59 +02:00
slontis
85407b7754 Fix double free in EVP_PKEY_CTX_dup()
If the internal operations dupctx() fails then a free is done (e.g. EVP_KEYEXCH_free()). If this is not set to NULL the EVP_PKEY_CTX_free() will do a double free.
This was found by testing kdf_dupctx() in kdf_exch.c (Note this always
fails since the internal KDF's do not have a dup method).

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
2021-09-03 12:31:59 +02:00
PW Hu
6f2f599448 EVP_PKEY_gettable_params.pod: Update argument names
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16494)
2021-09-03 12:27:28 +02:00
Richard Levitte
9150ca6017 VMS: Compensate for x86_64 cross compiler type incompatibility
The x86_64 cross compiler says that 'unsigned long long' isn't the
same as 'unsigned __int64'.  Sure, and considering that
providers/implementations/rands/seeding/rand_vms.c is specific VMS
only code, it's easy to just change the type to the exact same as
what's specified in the system headers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16497)

(cherry picked from commit 1ef526ef42)
2021-09-03 11:22:33 +02:00
Richard Levitte
2727265752 Prepare for 3.1
Because we now have an openssl-3.0 branch, master is moved to be the
next potential minor version.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16484)
2021-09-03 11:01:55 +02:00
Viktor Dukhovni
305c77aa82 Test for DANE cross cert fix
Reviewed-by: Tomáš Mráz <tomas@openssl.org>
2021-09-03 00:11:53 -04:00
Viktor Dukhovni
661de442e4 Prioritise DANE TLSA issuer certs over peer certs
When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.

This is important when the server sends a cross cert, but TLSA records include
the underlying root CA cert.  We want to construct a chain with the issuer from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).

Reviewed-by: Tomáš Mráz <tomas@openssl.org>
2021-09-03 00:10:03 -04:00
Pauli
505d44c623 rand: avoid using the derivation function for the public and private DRBGs
There is no point using it becuase they are getting full quality entropy from
the primary DRBG (which remains using the d.f.).

Also cleaned up the parameter passing to the DRBGs to not pass parameters that
are unknown.

Fixes #16117

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16156)
2021-09-03 10:23:21 +10:00
Daniel Bevenius
1b9e467887 Fix indentation of tls13_hkdf_expand parameters
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16489)
2021-09-03 08:55:29 +10:00
Pauli
f92bfddc1d CI: add last run-checker fuzzing CIs to Actions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16438)
2021-09-02 19:23:32 +10:00
a1346054
473664aafd always use the same perl in $PATH
Different tests may use unexpectedly different versions of perl,
depending on whether they hardcode the path to the perl executable or if
they resolve the path from the environment. This fixes it so that the
same perl is always used.

Fix some trailing whitespace and spelling mistakes as well.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16362)
2021-09-02 12:55:39 +10:00
Mattias Ellert
3a1fa0116a Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:

../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
   50 |     return getauxval(AT_SECURE) != 0;
      |                      ^~~~~~~~~

This commit changes the code to use the freebsd code in this case.
This fixes the compilation.

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16477)
2021-09-02 10:02:32 +10:00
Richard Levitte
8e706c8ae5 dev/release.sh: Adjust release branch names to votes
The OTC voted today that the release branch for OpenSSL 3.0 should be
openssl-3.0 rather than openssl-3.0.x.  The release script is changed
accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16481)
2021-08-31 18:34:56 +02:00
Matt Caswell
59f4a51a7f Add a test for verifying an email with a bad othername type
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16443)
2021-08-31 20:47:25 +10:00
Matt Caswell
c7f8edfc11 Ensure that we check the ASN.1 type of an "otherName" before using it
We should not assume that the type of an ASN.1 value is UTF8String as
expected. We must actually check it, otherwise we could get a NULL ptr
deref, or worse memory errors.

Reported by David Benjamin.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16443)
2021-08-31 20:47:25 +10:00
slontis
5595058714 Add the self test type OSSL_SELF_TEST_TYPE_PCT_SIGNATURE
Fixes #16457

The ECDSA and DSA signature tests use Pairwise tests instead of KATS.
Note there is a seperate type used by the keygen for conditional Pairwise Tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16461)
2021-08-31 20:45:53 +10:00
Matt Caswell
9b6d17e423 Add a warning about locking in the child provider callback docs
The child provider callbacks can hold the store lock. In order to avoid
deadlocks we require that the callback implementations don't themselves
call functions that may aquire those locks.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16469)
2021-08-31 20:44:16 +10:00
Pauli
4f8e0272c1 Add additional test to thread sanitizer build
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16469)
2021-08-31 20:44:16 +10:00
Matt Caswell
2b4a611ef1 Refactor provider_core.c to adhere to the locking rules
The previous commit provided some guidelines and some rules for using
locking in order to avoid deadlocks. This commit refactors the code in
order to adhere to those guidelines and rules.

Fixes #16312

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16469)
2021-08-31 20:44:16 +10:00
Matt Caswell
03c137de97 Add commentary about lock usage in provider_core.c
Provide some guidelines, as well as some rules for using the locks in
provider_core.c, in order to avoid the introduction of deadlocks.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16469)
2021-08-31 20:44:16 +10:00
Pauli
c7468c17d7 CI: add builds covering a number of different compiler versions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16463)
2021-08-31 20:41:58 +10:00
Tomas Mraz
2bdab81198 apps/pkcs12: Do not assume null termination of ASN1_UTF8STRING
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16433)
2021-08-31 12:20:12 +02:00
Tomas Mraz
3f7ad402b0 ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16433)
2021-08-31 12:20:12 +02:00
Tomas Mraz
72a509f94f Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests
Fixes #16428

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16433)
2021-08-31 12:20:12 +02:00
slontis
6922255225 Document that EVP_get_cipherbyname() does not work for some new algorithm names.
These algorithms were added to providers but have no const EVP_CIPHER*
mapping. Ciphers for SIV and CTS were previously only available via low level
function calls that are deprecated.

Reported by @reaperhulk.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16414)
2021-08-31 12:18:04 +02:00
Jaime Hablutzel
028593f546 Typo correction.
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16470)
2021-08-30 19:44:52 -05:00
Nicola Tuveri
78082769fa Use applink to fix windows tests
(readapted from 5c69c66a6972f84d56160c9ea4b30bab8fc2d3d4 by @bernd-edlinger)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16355)
2021-08-30 15:18:29 +03:00
Nicola Tuveri
7aa3dfc421 [ec] Do not default to OPENSSL_EC_NAMED_CURVE for curves without OID
Some curves don't have an associated OID: for those we should not
default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead
set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.

This is a follow-up to https://github.com/openssl/openssl/pull/12312

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16355)
2021-08-30 15:18:19 +03:00
Nicola Tuveri
cca8a4ceda Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macros
These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.

This commit fixes the public headers to reflect these changes.

Fixes #12443

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16355)
2021-08-30 15:18:14 +03:00
Nicola Tuveri
ea1128e94e Add tests for i2d_TYPE_fp and d2i_TYPE_fp
These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.

@@ Note: This commit limits to ECPKParameters as a type.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16355)
2021-08-30 15:18:08 +03:00
Daniel Krügler
e8e1f6d1a9 Ensure that _GNU_SOURCE is defined for bss_dgram.c
This fixes the following error with gcc10 under strict ANSI conditions:

.../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32'

CLA: trivial
Fixes #16449

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16451)
2021-08-29 18:54:40 +02:00
Dmitry Belyavskiy
d15506874b Adjust the list of default provider's algorithms
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16448)
2021-08-28 21:32:39 +02:00
Bernd Edlinger
cce935b23c Fix the "Out of memory" EVP KDF scrypt test
This test did not really execute, since usually
the OPENSSL_malloc(0) will fail and prevent the
execution of the KDF.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16444)
2021-08-28 16:45:38 +02:00
Rich Salz
20b39175b5 Yet another doc-nits fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16436)
2021-08-28 11:12:14 +02:00
zhaozg
5327da81f0 cms: fix memleaks in cms_env.c
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16403)

(cherry picked from commit 58e1e397c6)
2021-08-27 09:26:12 +02:00
Xiaofei Bai
597d24e2ab Fix libdir path on darwin
In current Configure script, libdir can be specified either an absolute
path or relative, while in Configurations/shared-info.pl, on darwin
system "-install_name" only accepts relative libdir path, and the
program fails when receiving absolute libdir path. This PR is to fix
this and match requirements of scripts.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16393)
2021-08-27 09:21:14 +02:00
David Carlier
c023d98dcf Darwin platform allows to build on releases before Yosemite/ios 8.
backport #16409

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16418)
2021-08-27 08:51:05 +02:00
Tomas Mraz
6f242d224c doc: Add note about operation parameters validation
Fixes #16394

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16424)
2021-08-27 10:20:09 +10:00
Matt Caswell
194fcc9ae0 Add a test for running the config twice
Make sure there are no leaks from running the config file twice.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16425)
2021-08-27 09:52:19 +10:00
Matt Caswell
f38af12585 Add locking for the provider_conf.c
Avoid races where 2 threads attempt to configure activation of providers
at the same time. E.g. via an explicit and an implict load of the config
file at the same time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16425)
2021-08-27 09:51:00 +10:00
Matt Caswell
6f25d3c479 When activating providers via config check we've not already activated them
We skip the activation if we already configured them.

Fixes #16250

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16425)
2021-08-27 09:51:00 +10:00