Commit Graph

29059 Commits

Author SHA1 Message Date
Dr. David von Oheimb
6e328484ab OSSL_STORE_expect(): Improve error handling and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:48 +02:00
Dr. David von Oheimb
7031f5821c OCSP: Minor improvements of documentation and header file
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15103)
2021-05-04 18:14:24 +02:00
Tomas Mraz
bad0d6c789 fips-checksums: The define for fips module is FIPS_MODULE
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15132)
2021-05-04 13:08:33 +02:00
Matt Caswell
f9548d21ba Document the new core BIO public API support
Fixes #14409

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Matt Caswell
93954ab050 Add a test for the public core bio API
Check that reading/writing to a core bio via BIO_new_from_core_bio()
works as expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Matt Caswell
b0ee1de9ab Create libcrypto support for BIO_new_from_core_bio()
Previously the concept of wrapping an OSSL_CORE_BIO in a real BIO was an
internal only concept for our own providers. Since this is likely to be
generally useful, we make it a part of the public API.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Tomas Mraz
e3188bae04 Run coveralls daily and not exactly at midnight
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15121)
2021-05-04 12:59:49 +02:00
Tomas Mraz
9deb202e6a coveralls: Enable fips as it is disabled by default
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15121)
2021-05-04 12:59:49 +02:00
Petr Gotthard
a0baa98b5c apps: Switch to X509_REQ_verify_ex
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15118)
2021-05-04 12:58:15 +02:00
Pauli
67cd43084c test: fix failure with FIPS and no-des configured.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15105)
2021-05-04 20:39:28 +10:00
Richard Levitte
5432d827ec APPS: Add passphrase handling in the "rsa" and "dsa" commands
They completely ignored any passphrase related setting.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15119)
2021-05-04 11:40:31 +02:00
Richard Levitte
49ce003740 APPS: Set a default passphrase UI for the "ec" command
Fixes #15114

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15119)
2021-05-04 11:40:31 +02:00
Richard Levitte
f97bc7c424 [TEMPORARY] make 'make update' verbose in ci.yml
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
49f699b54d GitHub CI: ensure that unifdef is installed
This is required for 'make update' and fips checksums

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
be22315235 FIPS module checksums: add scripts and Makefile rule
This adds the following scripts:

util/lang-compress.pl:

Compress source code, which language is determined by the first argument.
For the moment, we know 'perl' (perlasm source code), 'C' (C source code)
and 'S' (Assembler with C preprocessor directives).
This removes comments and empty lines, and compresses series of horizontal
spaces to one single space in the languages where that's appropriate.

util/fips-checksums.sh:

Takes source file names as arguments, pushes them through
util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates
the checksum on the result.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
27ca03ea82 Unix build file: Add a target to create providers/fips.module.sources
This file will be the basis for the FIPS module checksum calculation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
841a438c7f Add OpenSSL::Config::Query and use it in configdata.pm
OpenSSL::Config::Query is a configuration querying tool that's meant
to make it easier to query the diverse configuration data for info.
That's much easier than to dig through all the parts of %unified_info.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:29:56 +02:00
Richard Levitte
02669b677e Windows build file: add forgotten quotes on POD->html command line
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15084)
2021-05-04 10:16:33 +02:00
Richard Levitte
0d6c144e8d OpenSSL::Test: When prefixing command with $^X on Windows, fix it up!
The perl interpreter name itself might contain spaces and need quoting.
__fixup_prg() does this for us.

Fixes #14256

Co-authored-by: Tomáš Mráz <tomas@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15084)
2021-05-04 10:16:33 +02:00
Pauli
d1a770414a acvp-test: disable the ACVP testing code by default
It's only useful for the FIPS lab and shouldn't be in production.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15092)
2021-05-02 17:13:45 +10:00
FdaSilvaYY
045a893091 ssl: fix possible ref counting fields use before init.
`strdup(propq)` failure is doing a `goto err;` from where `SSL_CTX_free` is called.
The possible call is made before reference and lock fields setup.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15052)
2021-05-01 18:23:21 +02:00
Hubert Kario
dd28d1c4d3 man: s_server: fix text repetition in -alpn description
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15099)
2021-05-01 17:53:24 +02:00
Rich Salz
f4407385f5 APPS: Document the core of the opt_ API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14995)
2021-05-01 13:11:49 +02:00
Dmitry Belyavskiy
c0f4400c40 Use OCSP-specific error code for clarity
Fixes #12735

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/xxxxx)
2021-05-01 13:09:15 +02:00
Tomas Mraz
39da327294 Simplify AppVeyor configuration
Adjust the stuff we are building and testing in various
configurations to trim the run time a little bit.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15087)
2021-05-01 13:13:11 +10:00
Tomas Mraz
535130c39d Add -latomic to threads enabled 32bit linux builds
It might not be necessary with the most recent toolchain versions
but apparently many 32bit linux architectures and commonly used
toolchain versions require this.

It is also harmless to include even on architectures that do not
need it.

Fixes #14083

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15086)
2021-05-01 13:10:01 +10:00
Shane Lontis
38e12964a6 Fix no-fips-securitychecks test failure
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15091)
2021-05-01 13:09:07 +10:00
Petr Gotthard
91034b68b3 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex
Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it
works with external providers.
Since EVP_DigestSignInit_ex requires a digest name instead of
an EVP_MD pointer, the apps using do_sign_init() had to be modified
to pass char* instead of EVP_MD*.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15014)
2021-04-30 21:02:59 +02:00
Daniel Bevenius
4489655c23 Fix typo in OSSL_DECODER_CTX_set_input_structure
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15085)
2021-04-30 16:38:57 +02:00
Richard Levitte
b7f7a15f6a STORE: Fix the repeated prompting of passphrase
OSSL_STORE's loading function could prompt repeatedly for the same
passphrase.  It turns out that OSSL_STORE_load() wasn't caching the
passphrase properly.  Fixed in this change.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15064)
2021-04-30 16:02:29 +02:00
Tomas Mraz
b594a22717 SM2 signatures work correctly only with SM3 digests
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15074)
2021-04-30 15:15:54 +02:00
Tomas Mraz
2c181ac5a6 sm2: Cleanup handling of DIGEST and DIGEST_SIZE parameters
Fixes #14873

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15074)
2021-04-30 15:15:54 +02:00
Richard Levitte
c230e938c7 CORE: Rework the pre-population of the namemap
The pre-population of names has become more thorough.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
2021-04-30 11:15:00 +02:00
Richard Levitte
e73fc81345 STORE: Use the 'expect' param to limit the amount of decoders used
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.

This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
2021-04-30 11:15:00 +02:00
Pauli
38230e3011 acvp: fix the no-acvp_test build
A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15082)
2021-04-30 17:51:44 +10:00
Shane Lontis
455f254252 Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:53 +10:00
Shane Lontis
857c223bf7 Fix memory leak in load_key_certs_crls() when using stdin.
A newly created BIO object within this function calls
OSSL_STORE_attach() which increases the ref count to 2.
OSSL_STORE_close() then decrements the ref count by 1, so the BIO still
remains.

The following new test was picking up this leak using..
> valgrind openssl crl -hash -noout < test/testcrl.pem

Not quite sure why the existing tests were not picking this up
since they appear to run through a similiar path.. such as
> valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:53 +10:00
Shane Lontis
e9d62da6c3 Fix CRL app so that stdin works.
Fixes #15031

The maybe_stdin needed to be passed to load_key_certs_crls().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:52 +10:00
Tomas Mraz
9ac653d81a Document the API breaking constification changes
The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have
some API breaking constification changes in 3.0.

Fixes #9296

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15068)
2021-04-30 11:06:47 +10:00
Eric Curtin
0b31c36797 Remove dated term and fixed typo anther
Just something I noticed while reading this code.
This was probably committed a very long time ago.
Fixed typo anther -> another.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15078)
2021-04-30 10:05:28 +10:00
Pauli
c7d848e220 remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Jon Spillett
b536880c45 Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Matt Caswell
d77ba503a2 Adjust ssl_test_new for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.

There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.

Fixes  #14956

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Matt Caswell
8ce390e139 Adjust sslapitest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
sslapitest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Matt Caswell
fdf312709a Adjust dtlstest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
dtlstest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
2021-04-29 15:52:49 +01:00
Scott McPeak
0f077b5fd8 asn1_lib.c: ASN1_put_object: Remove comment about "class 0".
ASN1_put_object() was preceded by the nonsensical comment:

  /*
   * class 0 is constructed constructed == 2 for indefinite length constructed
   */

This is the result of concatenating two sentences in 0f113f3ee4 by
automated reformatting.  The first sentence, "class 0 is constructed",
goes back to d02b48c63a, the import of SSLeay 0.8.1b.  Even in that
context, it made little sense; class 0 means "universal", not
constructed, and there is no special significance to class 0 in this
function in any case.

Therefore I have simply removed that first sentence.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14998)
2021-04-29 13:53:19 +02:00
Tomas Mraz
c404e4fab3 Add test case for openssl crl -noout -hash output
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15044)
2021-04-29 11:36:12 +02:00
Tomas Mraz
872b7979c7 crl: noout is not an output item
Fixes #15034

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15044)
2021-04-29 11:36:12 +02:00
Dr. Matthias St. Pierre
3b9e47695f CHANGES: document the FIPS provider configuration and installation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
2021-04-29 11:26:58 +02:00
Dr. Matthias St. Pierre
f2ea01d9f1 README-FIPS: document the installation of the FIPS provider
Note that configuration and installation procedure has changed:

- The FIPS provider is now disabled by default and needs to
  be enabled by configuring with `enable-fips`.
- If the FIPS provider is enabled, it gets installed automatically.
  There is no extra installation step required anymore.

This is more natural and coincides with the expectation of the
user, namely "what's configured, gets installed".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
2021-04-29 11:26:58 +02:00