mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
27,017 Commits 33 Branches 385 Tags 484 MiB
5ea4c6e553
Commit Graph

27017 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dr. David von Oheimb
5ea4c6e553 apps/cmp.c: Improve example given for -geninfo option (also in man page) 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
1cd77e2eca OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs} 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
4d2b2889da openssl-cmp.pod.in: Update Insta Demo CA port number in case needed 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
62261446b2 apps/cmp.c: Improve user guidance on missing -subject etc. options 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
7a7d6b514f apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
ef2d3588e8 apps/cmp.c: Improve documentation of -secret, -cert, and -key options 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
 2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
82bdd64193 check_chain_extensions(): Require X.509 v3 if extensions are present 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:43:52 +02:00
Dr. David von Oheimb
e41a2c4c60 check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:43:34 +02:00
Dr. David von Oheimb
d72c8b457b x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:23 +02:00
Dr. David von Oheimb
bb377c8d6c check_chain_extensions(): Add check that CA cert includes key usage extension 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
da6c691d6d check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
89f13ca434 check_chain_extensions(): Add check that AKID and SKID are not marked critical 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
8a639b9d72 check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical 
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
1e41dadfa7 Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c 
add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
 2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
b0a4cbead3 apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and cmp_vars[] 
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12836)
 2020-09-11 08:06:47 +10:00
Dr. David von Oheimb
d3dbc9b500 apps_ui.c: Correct password prompt for ui_method 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
 2020-09-10 22:01:07 +02:00
Dr. David von Oheimb
591ceeddb3 apps_ui.c: Correct handling of empty password from -passin 
This is done in analogy to commit ca3245a619

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
 2020-09-10 22:01:07 +02:00
Dr. David von Oheimb
f84de16f39 apps_ui.c: Improve error handling and return value of setup_ui_method() 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
 2020-09-10 22:01:07 +02:00
Shane Lontis
9a62ccbe8a Fix fipsinstall module path 
If a path is specified with the -module option it will use this path to load the library when the provider is activated,
instead of also having to set the environment variable OPENSSL_MODULES.

Added a platform specific opt_path_end() function that uses existing functionality used by opt_progname().

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12761)
 2020-09-11 03:50:09 +10:00
Richard Levitte
9f604ca13d STORE: Fix OSSL_STORE_attach() to check |ui_method| before use 
ossl_pw_set_ui_method() demands that the passed |ui_method| be
non-NULL, and OSSL_STORE_attach() didn't check it beforehand.

While we're at it, we remove the passphrase caching that's set at the
library level, and trust the implementations to deal with that on
their own as needed.

Fixes #12830

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12831)
 2020-09-10 13:39:30 +02:00
Dr. David von Oheimb
5a0991d0d9 Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
5fdcde816f X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs 
Fixes #12765

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
a8e2a9f569 X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDNs (containing sets of AVAs) 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
bc64c5a69b X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
2aa91df406 X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
115786793c X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limit 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
 2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
388f2d9f6c app_load_config_bio(): fix crash on error 
It turns out that the CONF_modules_load(conf, NULL, 0) call is just wrong.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12817)
 2020-09-10 12:03:51 +02:00
Matt Caswell
3101ab603c Fix an EVP_MD_CTX leak 
If we initialise an EVP_MD_CTX with a legacy MD, and then reuse the same
EVP_MD_CTX with a provided MD then we end up leaking the md_data.

We need to ensure we free the md_data if we change to a provided MD.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12779)
 2020-09-10 11:35:42 +02:00
Richard Levitte
b830e00429 Diverse build.info: Adjust paths 
Fixes #12815

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12816)
 2020-09-10 09:50:56 +02:00
Dr. David von Oheimb
bb30bce22b bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
543a802fab bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
6199478101 bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
7eb48cfc66 test/cmp_{client,msg}_test.c: minor code cleanup 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
 2020-09-10 07:35:07 +02:00
Dr. David von Oheimb
eb5087fc7c test/recipes/81-test_cmp_cli_data/Mock/server.cnf: minor cleanup 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
 2020-09-10 07:35:07 +02:00
Dr. David von Oheimb
4245fd64c8 81-test_cmp_cli: Make test output files all different according to #11080 
Also some minor improvements mostly of test cases regarding PKCS#10 CSR input

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
 2020-09-10 07:35:07 +02:00
Dr. David von Oheimb
57371e1674 81-test_cmp_cli.t: Stop unlinking test output files according to #11080 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
 2020-09-10 07:35:07 +02:00
Dr. David von Oheimb
c4adc5ba5b apps.c: Fix mem leaks on error in load_certs() and load_crls() 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12823)
 2020-09-10 07:15:00 +02:00
Dr. David von Oheimb
a877d2629b apps/cmp.c: clear leftover errors on loading libengines.so etc. 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12824)
 2020-09-10 07:12:20 +02:00
Dr. David von Oheimb
87495d56a9 apps.c: Fix diagnostics and return value of load_key_certs_crls() on error 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12824)
 2020-09-10 07:12:20 +02:00
Dr. David von Oheimb
aad086e2ae Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
 2020-09-10 07:07:55 +02:00
Dr. David von Oheimb
a0745e2be6 Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs 
* Use strenghtened cert chain building, verifying chain using optional trust store
  while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
 2020-09-10 07:07:55 +02:00
Rich Salz
474853c39a Fix markdown nits in NOTES-Windows.txt 
And add a comment that this file is in markdown, but has a .txt
extension on purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12805)
 2020-09-10 08:57:55 +10:00
Kurt Roeckx
10203a3472 Support writing RSA keys using the traditional format again 
Fixes: #6855

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8743
 2020-09-09 18:32:10 +02:00
Richard Levitte
8ae40cf57d ENCODER: Refactor provider implementations, and some cleanup 
The encoder implementations were implemented by unnecessarily copying
code into numerous topical source files, making them hard to maintain.
This changes merges all those into two source files, one that encodes
into DER and PEM, the other to text.

Diverse small cleanups are included.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12803)
 2020-09-09 16:35:22 +02:00
Jon Spillett
ce43db7a3f Fix up issue on AIX caused by broken compiler handling of macro expansion 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12812)
 2020-09-09 19:08:59 +10:00
Pauli
b7a8fb52a9 s_time: check return values better 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12808)
 2020-09-09 18:01:05 +10:00
Pauli
e942111267 In a non-shared build, don't include the md5 object files in legacy provider 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
 2020-09-09 17:59:08 +10:00
Pauli
5c97eeb726 TLS fixes for CBC mode and no-deprecated 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
 2020-09-09 17:59:08 +10:00
Pauli
b924d1b6e1 TLS: remove legacy code path supporting special CBC mode 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
 2020-09-09 17:59:08 +10:00
Pauli
81661a14bc legacy: include MD5 code in legacy provider 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
 2020-09-09 17:59:08 +10:00