Commit Graph

27152 Commits

Author SHA1 Message Date
Matt Caswell
e144fd36ce Fix safestack issues in x509v3.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Matt Caswell
e6623cfbff Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Matt Caswell
6ac1cd10ba Fix safestack issues in ssl.h
We fix 3 problems with safestack:
- Including an openssl header file without linking against libcrypto
  can cause compilation failures (even if the app does not otherwise need
  to link against libcrypto). See issue #8102
- Recent changes means that applications in no-deprecated builds will need
  to include additional macro calls in the source code for all stacks that
  they need to use - which is an API break. This changes avoids that
  necessity.
- It is not possible to write code using stacks that works in both a
  no-deprecated and a normal build of OpenSSL. See issue #12707.

Fixes #12707
Contains a partial fix for #8102. A similar PR will be needed for hash to
fully fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Randall S. Becker
08073700cc NonStop port updates for 3.0.0.
HPE NonStop Port Changes for 3.0.0  Includes unthreaded, PUT, and SPT for OSS.

The port changes include wrapping where necessary for FLOSS and
appropriate configuration changes to support that. Two tests
are excluded as being inappropriate for the platform.

The changes are:
* Added /usr/local/include to nonstop-nsx_spt_floss to load floss.h
* Added SPT Floss variant for NonStop
* Wrapped FLOSS definitions in OPENSSL_TANDEM_FLOSS to allow selective enablement.
* SPT build configuration for NonStop
* Skip tests not relevant for NonStop
* PUT configuration changes required for NonStop platforms
* Configurations/50-nonstop.conf: updates for TNS/X platform.
* FLOSS instrumentation for HPE NonStop TNS/X and TNS/E platforms.
* Configurations/50-nonstop.conf: modifications for non-PUT TNS/E platform b
* Fix use of DELAY in ssltestlib.c for HPNS.
* Fixed commit merge issues and added floss to http_server.c

CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #5087.

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12800)
2020-09-12 20:32:11 +02:00
Richard Levitte
f0c62c5328 TEST: Add a test of EC key generation with encoding spec
The primary function of this test is to exercise
EVP_PKEY_CTX_set_ec_param_enc().

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:52 +02:00
Richard Levitte
655f73cecf EVP: Add the internal convenience function evp_keymgmt_util_export()
This is purely to allow exporting without having to repeatedly specify
the keymgmt and keydata from the EVP_PKEY.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:52 +02:00
Shane Lontis
96bb4ff9b8 Fix EVP_PKEY_CTX_ctrl() documentation
Remove references to 'macro' from EVP_PKEY_CTX_ctrl() as they are all
functions now, and update the HISTORY section.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:38 +02:00
Shane Lontis
33dd828d97 Update doc for EVP_PKEY_CTX_set_ec_param_enc()
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:22 +02:00
Richard Levitte
7229a2f4ab EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers
Fixes #12852

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:22 +02:00
Richard Levitte
4588f35b5a dev/release.sh: Rework to be smoother
It now creates all the necessary feature branches for github in your
repository, making the cloned sub-directory unnecessary for post-release
purposes.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12614)
2020-09-12 20:09:57 +02:00
Shane Lontis
35e6ea3bdc keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
801ed9edba CRNGT: enter FIPS error state if the test fails
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
5736923f12 FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
f99d3eedf7 ciphers: add FIPS error state handling
The functions that check for the provider being runnable are: new, init, final
and dupctx.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
422cbcee61 keymgmt: add FIPS error state handling
The functions that check for the provider being runnable are: new, gen_init,
gen, gen_set_template, load, has, match, validate, import and export.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
f590a5ea1a signature: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
sign init, sign, verify init, verify, verify recover init, verify recover,
digest sign init, digest sign final, digest verify init and digest verify final.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
ca94057fc3 exchange: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
init, derive and set peer.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
2b9e4e956b kdf: add FIPS error state handling
Check for provider being disabled on new and derive.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
5b104a81f0 mac: add FIPS error state handling
Check for provider being runnable in new, dup, init and final calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
aef30ad0b6 rand: add FIPS error state handling
Check for provider being runnable in instantiate, reseed, generate and new calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
87fe138d35 asymciphers: add FIPS error state handling
Check for provider being runnable in newctx, init, encrypt and decrypt.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
1c1daab94c digests: add FIPS error state handling
Check for providering being runnable in init, final, newctx and dupctx.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
6cf3730267 FIPS: rename the status call to is_running.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Pauli
eab7b4240d provider: add an 'is_running' call to all providers.
It can be accessed (read only) via the status parameter.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:20 +10:00
Shane Lontis
5e8cd0a4f4 Fix coverity issue: CID 1466479 - Resource leak in apps/pkcs12.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
97f7a6d42e Fix coverity issue: CID 1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
9951eaf467 Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
0f0b7dfbe5 Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
6e417f951c Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:23 +10:00
Shane Lontis
3481694946 Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE
Note that although this is a false positive currently, it could become possible if any of the methods called
change behaviour - so it is safer to add the fix than to ignore it. Added a simple test so that I could prove this was the case.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:23 +10:00
Richard Levitte
c1aba0763c OSSL_DECODER 'decode' function must never be NULL.
The conditions for a valid implementation allowed the 'decode'
function to be NULL or the 'export_object' was NULL.  That condition
is changed so that 'decode' is checked to be non-NULL by itself.

Fixes #12819

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12849)
2020-09-12 03:53:32 +02:00
Richard Levitte
c88f6f0e40 TEST: skip POSIX errcode zero in tesst/recipes/02-test_errstr.t
On most systems, there is no E macro for errcode zero in <errno.h>,
which means that it seldom comes up here.  However, reports indicate
that some platforms do have an E macro for errcode zero.
With perl, errcode zero is a bit special.  Perl consistently gives
the empty string for that one, while the C strerror() may give back
something else.  The easiest way to deal with that possible mismatch
is to skip this errcode.

Fixes #12798

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12799)
2020-09-12 03:51:21 +02:00
Biswapriyo Nath
c9352933fe fuzz/test-corpus: check if PATH_MAX is already defined
CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12620)
2020-09-11 20:07:26 +03:00
Chris Novakovic
64713cb10d apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using the command line
options -crl_lastupdate and -crl_nextupdate respectively.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12784)
2020-09-11 14:32:27 +03:00
Dr. David von Oheimb
0e60ce6334 Improve robustness and performance of building Unix static libraries
This is a fixup of 385deae79f, which solved #12116

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12821)
2020-09-11 12:21:57 +02:00
Dr. David von Oheimb
5ea4c6e553 apps/cmp.c: Improve example given for -geninfo option (also in man page)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
1cd77e2eca OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
4d2b2889da openssl-cmp.pod.in: Update Insta Demo CA port number in case needed
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
62261446b2 apps/cmp.c: Improve user guidance on missing -subject etc. options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
7a7d6b514f apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
ef2d3588e8 apps/cmp.c: Improve documentation of -secret, -cert, and -key options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
82bdd64193 check_chain_extensions(): Require X.509 v3 if extensions are present
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:43:52 +02:00
Dr. David von Oheimb
e41a2c4c60 check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:43:34 +02:00
Dr. David von Oheimb
d72c8b457b x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:23 +02:00
Dr. David von Oheimb
bb377c8d6c check_chain_extensions(): Add check that CA cert includes key usage extension
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
da6c691d6d check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
89f13ca434 check_chain_extensions(): Add check that AKID and SKID are not marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
8a639b9d72 check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
1e41dadfa7 Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
b0a4cbead3 apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and cmp_vars[]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12836)
2020-09-11 08:06:47 +10:00