Commit Graph

28074 Commits

Author SHA1 Message Date
Richard Levitte
2984445d3a TEST: Fix test/recipes/15-test_rsa.t
Perl strings should be compared with 'eq', not '=='.
This only generates a perl warning, so wasn't immediately noticed.

Also, remove the check of disabled 'dsa'.  That never made reak sense.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13645)
2020-12-15 14:27:23 +01:00
Richard Levitte
542b84881c APPS: Correct the output structure for public keys in 'openssl rsa'
'openssl rsa' would output a PKCS#1 structure when asked for a
SubjectPublicKeyInfo and vice versa.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13645)
2020-12-15 14:27:23 +01:00
Rich Salz
021410ea3f Check non-option arguments
Make sure all commands check to see if there are any "extra" arguments
after the options, and print an error if so.

Made all error messages consistent (which is to say, minimal).

Fixes: #13527

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13563)
2020-12-15 11:47:17 +01:00
Pauli
c678f68a19 test: document the random test ordering env variable
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13672)
2020-12-15 20:03:07 +10:00
Pauli
a21a1c23c9 test: print OPENSSL_TEST_RAND_ORDER=x when a randomised test fails.
The previous message "random seed x" is a lot less descriptive.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13672)
2020-12-15 20:03:07 +10:00
Rich Salz
2f06c34b0e Document OCSP_REQ_CTX_i2d.
Based on comments from David von Oheimb.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13620)
2020-12-15 10:36:59 +01:00
Rich Salz
ecef17c367 Deprecate OCSP_REQ_CTX_set1_req
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13620)
2020-12-15 10:36:59 +01:00
Dmitry Belyavskiy
249d559545 Skip tests depending on deprecated list -*-commands options
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Dmitry Belyavskiy
a08489e241 Documenting the options deprecating in CHANGES.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Dmitry Belyavskiy
8ce7579d7d Documenting the options deprecating
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Dmitry Belyavskiy
a61fba5da6 Skip unavailable digests and ciphers in -*-commands
Fixes #13594

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Dmitry Belyavskiy
cb75a155b6 Deprecate -cipher-commands and -digest-commands options
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Dmitry Belyavskiy
908465be59 OPENSSL_NO_GOST has nothing to do with low-level algos
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-15 04:39:58 +01:00
Sebastian Andrzej Siewior
52c6c12c1c Configurations: PowerPC is big endian
Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.

Fixes: #12199

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12371)
2020-12-14 09:56:03 +01:00
Shane Lontis
3dafbd4468 Change AES-CTS modes CS2 and CS3 to also be inside the fips module.
The initial thought was that only CS1 mode (the NIST variant) was allowed.
The lab has asked if these other modes should be included.
The algorithm form indicates that these are able to be validated.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13639)
2020-12-14 13:46:49 +10:00
Shane Lontis
ac7750bb5e Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation.
Fixes #12438

Note: This worked in 1.1.1 so just returning an error is not valid.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13505)
2020-12-14 11:30:40 +10:00
Matt Caswell
c739222b5a Fix no-threads
Make OPENSSL_fork_prepare() et al always available even in a no-threads
build. These functions are no-ops anyway so this shouldn't make any
difference.

This fixes an issue where the symbol_presence test fails in a no-threads
build. This is because these functions have not been marked in
libcrypto.num as being dependent on thread support. Enclosing the
declarations of the functions in the header with an appropriate guard
does not help because we never define OPENSSL_NO_THREADS (we define the
opposite OPENSSL_THREADS). This confuses the scripts which only consider
OPENSSL_NO_* guards. The simplest solution is to just make them always
available.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13647)
2020-12-14 10:45:27 +10:00
Ankita Shetty
469491536d openssl.pod: Fix openSSL options doc
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13651)
2020-12-13 12:47:14 +01:00
Richard Levitte
2e1bc08100 Remove unnecessary guards around MSBLOB and PVK readers and writers
The OPENSSL_NO_RC4 guard remain around protected PVK tests in
test/endecoder_test.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13648)
2020-12-13 10:27:31 +01:00
Richard Levitte
a158f8cfb9 PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4'
All these functions are usable with RSA keys, there's no reason why
they should be unaccessible when DSA or RC4 are disabled.

When DSA is disabled, it's not possible to use these functions for
DSA EVP_PKEYs.  That's fine, and supported.

When RC4 is disabled, it's not possible to use these functions to
write encrypted PVK output.  That doesn't even depend on the
definition of OPENSSL_NO_RC4, but if the RC4 algorithm is accessible
via EVP, something that isn't known when building libcrypto.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13648)
2020-12-13 10:27:31 +01:00
Richard Levitte
e841938349 Building: Fix the library file names for MSVC builds to include multilib
In OpenSSL 1.1.1, VC-WIN64I and VC-WIN64A have a 'multilib' attribute
set, which affect the names of the produced libcrypto and libssl DLLs.
This restores that for OpenSSL 3.0.

Fixes #13659

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13670)
2020-12-13 00:26:29 +01:00
Richard Levitte
68e9125182 DOCS: Improve documentation of the EVP_PKEY type
This type was previously described in a note, which is hard to find
unless you already know where to look.

This change makes the description more prominent, and allows indexing
by adding it in the NAMES section.

The EVP_PKEY description is altered to conceptually allow an EVP_PKEY
to contain a private key without a corresponding public key.  This is
related to an OTC vote:

https://mta.openssl.org/pipermail/openssl-project/2020-December/002474.html

The description of EVP_PKEY for MAC purposes is amended to fit.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13629)
2020-12-13 00:24:39 +01:00
Pauli
a79148237e params: add integer conversion test cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13663)
2020-12-12 21:43:07 +10:00
Pauli
e9c5e64278 params: allow more variations in integer conversions.
Allow any sized integer to be converted to any other size integer via the
helpers.

Support for converting reals to/from integers remains restricted.

Fixes: #13429

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13663)
2020-12-12 21:43:07 +10:00
Richard Levitte
19ad83f6c8 DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations
Fixes #13441

We're also starting on a glossary, doc/man7/openssl-glossary.pod,
where terms we use should be explained.  There's no need to explain
terms as essays, but at least a few quick lines, and possibly a
reference to some external documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13581)
2020-12-11 18:49:42 +01:00
Matt Caswell
05fa5fde10 Fix some typos in EVP_PKEY-DH.pod
A missing newline messes up how the code sample is rendered. Also a few
miscellaneous typos are fixed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13643)
2020-12-11 11:10:56 +00:00
Matt Caswell
730bee5253 Skip cms tests using RC2 if no legacy provider
Fixes #12510

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
abec331fd3 Don't run a legacy specific PKCS12 test if no legacy provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
8891a12b5b Don't use the legacy provider in test_store if its not available
If we don't have the legacy provider then we avoid having to use it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
d5e8d26008 Don't load the legacy provider in test_evp_libctx unnecessarily
We don't need the legacy provider, so don't load it. This avoids
problems in a no-legacy build

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
f2130201f1 Don't load the legacy provider if not available in test_enc_more
If the legacy provider isn't available then we shouldn't attempt to
load or use it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
81959b26a3 Skip testing ciphers in the legacy provider if no legacy
test_enc should not test ciphers that are not available due to a lack
of the legacy provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
39e3daeead Don't load the legacy provider in endecoder_legacy_test
In spite of the name the endecoder_legacy_test does not need the
legacy provider. Therefore we avoid loading it so that no-legacy
builds still run the test successfully.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
49da54b9fa Don't use legacy provider if not available in test_ssl_old
If we've been configured with no-legacy then we should not attempt to
load the legacy provider.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
5ae54dbac1 Fix sslapitest.c if built with no-legacy
We skip a test that uses the no-legacy option. Unfortuantely there is
no OPENSSL_NO_LEGACY to test, so we just check whether we were successful
in loading the legacy provider - and if not we skip the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
3a43b30ebb Skip evp_test cases where we need the legacy prov and its not available
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
a67c70107c Don't use no-asm in the Github CIs
no-asm has proven to be too slow, therefore we don't use it in the Github
CI builds and instead rely on it being covered by run-checker.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13607)
2020-12-11 10:54:40 +00:00
Shane Lontis
acd3e548bc Add fips self tests for all included kdf
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13480)
2020-12-11 10:59:32 +10:00
Shane Lontis
f0591559f6 Add validate method to ECX keymanager
Fixes #11619

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13459)
2020-12-11 10:53:19 +10:00
Dr. David von Oheimb
1a683b80dc apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
This includes a general correction in the code (now using the X509V3_CTX_REPLACE flag)
and adding a prominent clarification in the documentation:

    If multiple entries are processed for the same extension name,
    later entries override earlier ones with the same name.

This is due to an RFC 5280 requirement - the intro of its section 4.2 says:

    A certificate MUST NOT include more than one instance of a particular extension.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
98ba251fe6 openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
8ca661abd7 v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
f902716f24 X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
374f72cedd openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
9c3a52f2a2 apps/x509.c: Factor out common aspects of X509 signing
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
6c9515b763 apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
d858e743a9 apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
e9701a0141 x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
7c051ecce4 apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
bca7ad6efd Use adapted test_get_libctx() for simpler test setup and better error reporting
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13001)
2020-12-10 11:01:26 +01:00