Commit Graph

28769 Commits

Author SHA1 Message Date
Matt Caswell
a669418c8e Be more selective about copying libcrypto symbols into legacy.so
Some private libcrypto symbols are also included in legacy.so.
Unfortunately this included some files with "RUN_ONCE" functions and
global data. This doesn't get properly cleaned up when OpenSSL exits.
Therefore we are more selective about the symbols we include in legacy.so.

Fixes #13560

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14646)
2021-03-23 17:24:47 +00:00
Randall S. Becker
ccdfcf07d9 Disable fips-securitychecks if no-fips is configured.
Fixes: #14629

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)
2021-03-23 16:19:44 +00:00
Jon Spillett
6511f686c2 endecode_test: Add file and line arguments to test callbacks
To improve debug information in case of test failures source
file and line arguments are added to test callbacks.

Fixes #14331

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14567)
2021-03-23 08:46:04 +01:00
Shane Lontis
e72dbd8e13 Fix usages of const EVP_MD.
Partially fixes #13837

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14474)
2021-03-22 15:40:04 +01:00
Andrey Matyukov
c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)
2021-03-22 09:48:00 +00:00
Dr. David von Oheimb
db89d8f04b APPS: fix load_certs_multifile() interpreting backslashes
Fixes #14622

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14636)
2021-03-22 07:54:03 +01:00
Shane Lontis
251c48183b Fix DER reading from stdin for BIO_f_readbuffer
Fixes #14559

The intitial implementation of the gets() function tried using the next bio's gets() function.
For a file BIO this returned incorrect data for binary data containing 0x00.
Just buffering all data during gets() did not work however since some
applications open and close the bio multiple times when dealing with pem
files containing multiple entries.. This does not work
when reading from stdin unless the data if buffered one byte at a time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14599)
2021-03-22 09:07:36 +10:00
Richard Levitte
6e34a1048c ASN1: Reset the content dump flag after dumping
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output.  Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.

Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.

Fixes #14626

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14627)
2021-03-21 12:29:06 +01:00
Pauli
abded2ced4 evp: fix coverity 1473380: copy into fixed size buffer
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14614)
2021-03-21 11:13:39 +10:00
Pauli
c38048e793 sslapitest: fix problem in cleanup on failure path
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:33 +10:00
Pauli
b6d1bd4eb8 evp: fix coverity 1473381 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
72ded6f2a9 x509: coverity 1472673 & 1472693 - dereference after null checks
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
f1619160c8 test: coverity 1469426 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
88ce406c89 ssl: coverity 1465527 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
8f586f5bc1 test: coverity 1455749 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
337ace06b9 test: coverity 1455747 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
b6f0f546ff async: coverity 1446224 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
28c21fa048 evp: fix coverity 1445872 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
2021-03-20 10:18:32 +10:00
Pauli
07aa88cccf decoder: fix Coverity 1473236 & 1473386: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
77b8b49bdd apps: fix Coverity 1472670 & 1472685: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
bca681aa5b rsa: fix coverity 1472658: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
7153f54437 evp: fix coverity 1470561: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
9b0f76e12f test: fix coverity 1470559: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
015b221a5f test: fix coverity 1455330, 1455332, 1455334, 1455342, 1455344 : resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:08:00 +10:00
Pauli
e22105d1b3 ssl: fix coverity 1451495: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
65bf029d49 test: fix coverity 1414449 & 1414471: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
c0cd48fcb9 test: fix coverity 1414445: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
316c8dafd4 test: fix coverity 1454040: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
743840d56f test: fix coverity 1451562: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Pauli
b573d0ceea test: fix coverity 1451553: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
2021-03-20 10:07:59 +10:00
Richard Levitte
aff442dc38 Make ossl_d2i_PUBKEY_legacy() completely libcrypto internal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
695c96ba51 Make evp_privatekey_from_binary() completely libcrypto internal
We also rename it to d2i_PrivateKey_legacy(), to match d2i_PrivateKey_decoder()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
55d9ccca8e TEST: Clarify and adjust test/recipes/30-test_evp.t
There are a few test cases at the end of test/recipes/30-test_evp.t,
which are designed to check that loading DSA keys when DSA is disabled,
or SM2 keys when SM2 is disables fail in an understandable way.  These
needed a small adjustment.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
c640b68785 STORE: Use the same error avoidance criteria as for the DER->key decoder
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
ff1c10d920 TEST: Modify test/endecode_test.c to give the decoder callback the structure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
f4e46b817d PROV: Add type specific MSBLOB and PVK decoding for the MS->key decoders
To make this cleaner, decoder_ms2key.c is split into decoder_msblob2key.c
and decoder_pvk2key.c.

This required a great deal of refactoring of crypto/pem/pvkfmt.c, to
make cleaner internal functions that our decoder implementations can
use.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
cf33379997 PROV: Add type specific PKCS#8 decoding to the DER->key decoders
This required refactoring a number of functions from the diverse
EVP_PKEY_ASN1_METHOD implementations to become shared backend
functions.  It also meant modifying a few of them to return pointers
to our internal RSA / DSA/ DH / EC_KEY, ... structures instead of
manipulating an EVP_PKEY pointer directly, letting the caller do the
latter.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
e0be34beee PROV: Add RSA-PSS specific OSSL_FUNC_KEYMGMT_LOAD function
The OSSL_FUNC_KEYMGMT_LOAD function for both plain RSA and RSA-PSS
keys now also check that the key to be loaded is the correct type,
and refuse to load it if it's not.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
06f6761280 PROV: Add type specific SubjectPublicKeyInfo decoding to the DER->key decoders
This makes it possible to use d2i_<TYPE>_PUBKEY instead of the generic
d2i_PUBKEY()

This required adding a number of new d2i_<TYPE>_PUBKEY functions.
These are all kept internal.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
65ef000ec2 PROV: Refactor DER->key decoder
The decoding of DER into keys with keytype specific routines depended
entirely on the absence of the generic algo specific C type from
EVP_PKEYs.  That is not necessary, and may even prove to be a bit of a
disadvantage, depending on what libcrypto has to offer in terms of
type specific d2i functionality for different kinds of input
structures.

To remedy, we try with all available type specific functions first,
and only turn to the general d2i functions (those that return an
EVP_PKEY) as a last resort.

Furthermore, there are cases where the decoder might not get the key
type it expected.  This may happen when certain key types that share
the same OpenSSL structure may be mixed up somehow.  The known cases
are EC vs SM2 and RSA vs RSA-PSS.

To remedy, we add the possibility to specify a checking function that
can check if the key that was decoded meets decoder expectations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
2021-03-19 16:46:39 +01:00
Richard Levitte
2d101b0f49 Configure: check all DEPEND values against GENERATE, not just .h files
All files that are given to DEPEND statements in build.info files are
being checked against GENERATE statements, to see if it's reasonable
to look for them in the source tree or not.  This was only done for .h
files, for reasons that are lost in history.  We now change that check
to look at all files instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14598)
2021-03-19 16:44:46 +01:00
Tomas Mraz
6084b5c2c9 EVP_PKEY_get_*_param should work with legacy
Also do not shortcut the pkey == NULL case
to allow EVP_PKEY_get_params() to raise an error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14606)
2021-03-19 15:09:55 +01:00
Tomas Mraz
03cd9d2f23 ASYNC_start_job: Reset libctx when async_fibre_swapcontext fails
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14605)
2021-03-19 14:25:00 +01:00
Tomas Mraz
0e2f87c03e Added functions for printing EVP_PKEYs to FILE *
Fixes #14172

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14577)
2021-03-19 11:21:30 +01:00
Pauli
39f6bf33e5 test: fix Coverity 1454818: use after free
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14597)
2021-03-19 19:51:37 +10:00
Shane Lontis
ebdb5cccde Fix windows build compiler issue.
Another case of snprintf() being used.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14600)
2021-03-19 17:08:33 +10:00
Matt Caswell
2154a7a754 Update README-FIPS.md
The README-FIPS.md file was still the one used from 1.1.1. We update it
with 3.0 specific information.

Fixes #14237

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14575)
2021-03-19 13:44:32 +10:00
Richard Levitte
9fe4f5bc82 Fix a missing rand -> ossl_rand rename
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14609)
2021-03-18 16:52:38 +01:00
Matt Caswell
ee067bc066 Ensure we deregister thread handlers even after a failed init
If we attempt to init a provider but that init fails, then we should
still deregister any thread handlers. The provider may have failed after
these were registered.

Fixes #13338

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14576)
2021-03-18 12:00:42 +00:00
Pauli
7e7e034a10 apps: fix coverity 966560: division by zero
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14586)
2021-03-18 21:24:25 +10:00