Commit Graph

28674 Commits

Author SHA1 Message Date
Arthur Gautier
4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change
fixup 7c75f2daf8
      https://github.com/openssl/openssl/pull/14310

Previous commit changes the api, one code sample was left with previous
API.

CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14551)
2021-03-17 12:32:39 +10:00
Pauli
1f79baa55e Remove TODOs from digest.c
They aren't relevant:
. Digest Sign isn't supported in the FIPS provider.
. Remove legacy NID use.

Fixes #14394
Fixes #14395

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)
2021-03-17 10:33:45 +10:00
Pauli
7128458b8a params: clean up TODO
The TODO being reworked to just be a comment.

Fixes #14374

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)
2021-03-17 10:33:45 +10:00
Pauli
8f391c7d1b doc: remove TODOs about redesigning the AEAD API
The changes would be significant and the benefits not likely to be too great.

Fixes #14368

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)
2021-03-17 10:33:45 +10:00
Pauli
95856e34bb prov: remove todos in rsa_keymgmt.c
The TODOs are about OAEP and aren't relevant.

Fixes #14361

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)
2021-03-17 10:33:45 +10:00
Pauli
cc32fbdca1 prov: remove TODO in der_rsa_key.c
Fixes #14365

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)
2021-03-17 10:33:45 +10:00
Tomas Mraz
d1f790de0c Add some encoder and decoder code examples
Fixes #14373

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14557)
2021-03-17 10:17:48 +10:00
Matt Caswell
5db682733d Fix a TODO(3.0) in the siphash code
All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.

Fixes #14360

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)
2021-03-17 10:16:21 +10:00
Tomas Mraz
37cddb2e2d p_lib.c: Remove TODO comments
The comments are either about legacy stuff that is going to be
removed in later releases or about a safety check that can
be kept.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14554)
2021-03-17 10:14:54 +10:00
Tomas Mraz
a289d3a427 property_test: use property values that are not used elsewhere
In test_property_query_value_create() we depend on the property
values to not be created by other test cases. Use such
values.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14573)
2021-03-16 13:31:08 +01:00
Tomas Mraz
2217d4c9cc core_get_libctx: use assert() instead of ossl_assert()
Using ossl_assert makes the build fail with --strict-warnings
because the ossl_assert is declared with warn_unused_result.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14571)
2021-03-16 13:15:18 +01:00
Tomas Mraz
a23deef281 provider_core: Remove two TODO 3.0
We need to keep the check for prov == NULL in ossl_provider_libctx
but it is not needed in core_get_libctx as there it can happen only when
there is a serious coding error in a third party provider and returning
NULL as libctx would be seriously wrong as that has a special meaning.

The second TODO is valid but not something that is relevant
for 3.0. Change it into a normal comment.

Fixes #14377

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14535)
2021-03-16 11:36:47 +01:00
Tomas Mraz
a8275fbc4a decoder_process: data_structure can be NULL
Check it before dereferencing.

Fixes #14530

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14531)
2021-03-16 11:25:18 +01:00
Pauli
1e08f3ba9e property: default queries create the property values.
Without this, it is necessary to query an algorithm before setting the default
property query.  With this, the value will be created and the default will
work.

Fixes #14516

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14542)
2021-03-16 09:19:20 +10:00
Tomas Mraz
bd55a0be1b Use --debug with no-caching build as sanitizers need it
The memleak test otherwise fails.

Also disable async, dtls, and old tls versions to test some
different combination of disableables and speed up tests.

Fixes #14337

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14536)
2021-03-16 07:56:10 +10:00
Matt Caswell
92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()
These functions now work for more key types than they did in 1.1.1

Fixes #14477

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
2021-03-15 15:51:50 +00:00
Matt Caswell
2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check()
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.

Fixes #14482

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
2021-03-15 15:51:26 +00:00
Matt Caswell
2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output
Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
2021-03-15 15:51:24 +00:00
Tomas Mraz
d8a809db4b apps: Make load_key_certs_crls to read only what is expected
The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)
2021-03-15 14:15:16 +01:00
Tomas Mraz
ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)
2021-03-15 13:29:57 +01:00
div2016bit
8287a4c3b2 Tiny clarification of comment for RSA_sign
CLA: trivial

On line 136, a period is added. I think this is what was intended.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14540)
2021-03-15 17:18:18 +10:00
Shane Lontis
3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.
Fixes #14480

An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.

In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.

Before this change dsa used fips186_2 by default in the default
provider.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
2021-03-15 09:01:51 +10:00
Tomas Mraz
91bd45eb9a keymgmt_meth: remove two TODO 3.0
The first TODO 3.0 is not really a TODO, just a comment.

The second one is something that is needed for compatibility
with existing applications. There is no major reason in
trying to change this behavior right now.

Fixes #14400

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14534)
2021-03-14 15:45:40 +10:00
Tobias Nießen
3711f4c3fb Fix option description for PKCS#12 export
Refs: https://github.com/openssl/openssl/pull/4930

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14520)
2021-03-14 15:42:29 +10:00
Matt Caswell
703c4d669d Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment
The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix it, but it does
not need to be done in the 3.0 timeframe.

Fixes #14376

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14533)
2021-03-14 15:40:25 +10:00
Matt Caswell
fadb77ce6d Remove a TODO from async_delete_thread_state()
There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a change
but there are no plans to do that at the moment.

Fixes #14402

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14532)
2021-03-14 15:38:44 +10:00
Shane Lontis
0fc39c9030 Remove TODO in rsa_ameth.c
Fixes #14390

The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is not
necessary. The assert has been removed when it does the test.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14524)
2021-03-14 15:37:18 +10:00
Shane Lontis
8bfb8f3458 Remove TODO in test/acvp_test.c related to setting AES-GCM iv.
Fixes #14330

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14525)
2021-03-14 15:35:43 +10:00
Rich Salz
cd3f8c1b11 Always check CRYPTO_LOCK_{read,write}_lock
Some functions that lock things are void, so we just return early.

Also make ossl_namemap_empty return 0 on error.  Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.

Fixes: #14230

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)
2021-03-14 15:33:34 +10:00
Dr. David von Oheimb
f62846b703 apps/ts.c: Allow -untrusted arg to refer to multiple sources
This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
2021-03-13 11:16:13 +01:00
Dr. David von Oheimb
c89fd035d5 TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)
2021-03-13 11:16:13 +01:00
Pauli
234261f3a1 ssl: fix format specifier for size_t argument to BIO_printf
Fixes #14519

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14521)
2021-03-13 16:08:33 +10:00
Tomas Mraz
0413b7bb9c acvp_test: Do not expect exact number of self tests
There might be more because internal instances of the DRBG
might be initialized for the first time and thus
self-tested as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
2021-03-12 15:13:37 +01:00
Tomas Mraz
061ae2f6a2 Remove the RAND_get0_public() from fips provider initialization
It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly set up.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
2021-03-12 15:13:00 +01:00
Tomas Mraz
12b4e5821d Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto
Calling OPENSSL_init_crypto(0, NULL) is a no-op and will
not properly initialize thread local handling.

Only the calls that are needed to initialize thread locals
are kept, the rest of the no-op calls are removed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)
2021-03-12 15:11:21 +01:00
Jakub Zelenka
343475126e Update CHANGES with info about AuthEnvelopedData addition
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14456)
2021-03-12 14:14:23 +01:00
Pauli
8f08957674 rename ossl_provider_forall_loaded to ossl_provider_doall_activated
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
2021-03-12 09:14:00 +10:00
Pauli
3c5ce1ce81 doc: describe the return from ossl_provider_forall_loaded()
Also correct an incorrect statement about non-activated providers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
2021-03-12 09:14:00 +10:00
Pauli
7bbfbc8239 core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks
To avoid recursive lock issues, a copy is taken of the provider list and
the callbacks are made without holding the store lock.

Fixes #14251

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)
2021-03-12 09:14:00 +10:00
Matt Caswell
3d0b56785a Don't crash if the pkeyopt doesn't have a value
All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash

Fixes #14494

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14496)
2021-03-12 08:45:48 +10:00
Pauli
8bf611bc7f update set_ctx_param store management calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:30 +10:00
Pauli
20b8dc6fb1 update set_ctx_param DRBG calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:30 +10:00
Pauli
5a6b62bb42 update set_ctx_param MAC calls to return 1 for a NULL params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:30 +10:00
Pauli
c983a0e521 prov: add extra params argument to KDF implementations
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
f59612fed8 doc: note that get_params and set_params calls should return true if the param array is null
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
f187d4f9f8 doc: document the additional params argument to the various init() calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
12ddfa6b34 support params argument to AES cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
1036bb64a7 doc: update cipher documentation to include the new init functions with params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
83da94ffa8 prov: support params argument to common cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00
Pauli
deee967272 prov: support param argument to DES cipher init calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)
2021-03-12 08:27:21 +10:00