Commit Graph

29624 Commits

Author SHA1 Message Date
Richard Levitte
73c02a6201 ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE
This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:47 +10:00
Richard Levitte
6462a4f050 PROV: drop get_params() and gettable_params() from all decoder implementations
They aren't needed at all any more, since the properties contain the
same information.

This also drops the parameter names OSSL_DECODER_PARAM_INPUT_TYPE
and OSSL_DECODER_PARAM_INPUT_STRUCTURE.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:35 +10:00
Richard Levitte
9379bf943a DECODER: use property definitions instead of getting implementation parameters
The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to place them correctly in the
decoder chain, if at all.  These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.

Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.

This adds the "global" error reason ERR_R_INVALID_PROPERTY_DEFINITION,
which can be re-used elsewhere.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:11 +10:00
Richard Levitte
6ec3b2cf49 property: Add functionality to query data from a property definition
This required making some OSSL_PROPERTY types a little less private.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:29:47 +10:00
Richard Levitte
0b3fe363e6 make update-fips-checksums
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)
2021-06-05 10:38:37 +02:00
Richard Levitte
50360c1a4b FIPS: don't include crypto/passphrase.c in libfips.a
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15615)
2021-06-05 10:32:13 +02:00
Matt Caswell
3d9d1ce529 Add documentation for newly added ASN1 functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
d2b6c06274 Ensure libctx/propq is propagated when handling X509_REQ
When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
7be04a3ac4 Give ASN.1 objects the ability to report their libctx/propq
Some ASN.1 objects have an embedded libctx/propq. If they have one we
give the ASN.1 code the ability to find these values and use them where
needed. This is used for OSSL_CMP_MSG_dup() and X509_dup().

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
6282d6c284 Make sure X509_dup() also dup's any associated EVP_PKEY
Otherwise we can end up with a blank EVP_PKEY. If it is later recreated
it can end up with the wrong libctx/propq.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
c631378058 Use the new ASN.1 libctx aware capabilities in CMP
Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
5dca2afca3 Use the new ASN.1 libctx aware functions in CMS
Make sure we pass the libctx around when working with CMS structures

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
dea2878fac Teach more of the ASN.1 code about libctx/propq
Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this new
capability for PKCS7.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
c8a9af97c9 Teach the ASN.1 code how to create embedded objects with libctx/propq
An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq in use then we need to make sure
we pass these down to the constructors of these embedded objects.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
6265348346 Fix evp_extra_test to use libctx in an X509_PUBKEY
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
d6ded941c9 Provide the ability to create an X509_PUBKEY with a libctx/propq
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Matt Caswell
f43f9d6313 Test a bad SmtpUTF8Mailbox name constraint
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
2021-06-04 17:18:31 +01:00
Matt Caswell
39145c4111 Check that we got the expected name type when verifying name constraints
If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify that it really does before we
attempt to use the value in it.

Reported by Corey Bonnell

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
2021-06-04 17:18:31 +01:00
Tomas Mraz
0e0a47377f Update fips checksums to drop the ssl headers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)
2021-06-04 17:06:47 +02:00
Tomas Mraz
085e3cecbd Move libssl related defines used by fips provider to prov_ssl.h
This nicely reduces the number of files considered as fips
provider sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15609)
2021-06-04 17:06:47 +02:00
Pauli
51cda01c61 req: detect a bad choice of digest early
This is a regression against 1.1.1 when an unknown digest was detected
early.

Fixes #15285

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15602)
2021-06-04 18:03:25 +10:00
Tomas Mraz
6a2f82b439 req: fix default bits handling for -newkey
Fixes #15569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15582)
2021-06-04 15:09:12 +10:00
Dr. David von Oheimb
5d8ea84efa 80-test_http.t: Rename to 79-test_http.t, add basic HTTP server ACCEPT test
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
2021-06-04 07:07:32 +02:00
Dr. David von Oheimb
c796cc9768 80-test_cmp_http.t: Improve comparison on server_port variable
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15592)
2021-06-04 07:07:32 +02:00
Rich Salz
43c2456f0f Add md-nits task
Assumes that Ruby is installed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15590)
2021-06-04 13:04:18 +10:00
Matt Caswell
f570d33b02 Only call dtls1_start_timer() once
The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called directly by dtls1_handle_timeout(). We only need to start the timer
once.

Fixes #15561

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15595)
2021-06-04 11:06:08 +10:00
Dr. David von Oheimb
d0196ddcba CI windows.yml: Silence 'nmake' builds except 'minimal'; ci.yml: make 'minimal' build verbose
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15594)
2021-06-04 09:39:09 +10:00
Matt Caswell
376a8c3f46 Teach ASN1_item_verify_ctx() how to handle provided keys
We need to special case RSA-PSS because that uses X509_ALGOR style
parameters and we have no support for this on the provider side at this
stage.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15527)
2021-06-03 17:18:57 +01:00
Tomas Mraz
18d9c9bf96 openssl spkac: Fix reading SPKAC data from stdin
Fixes #15367

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15593)
2021-06-03 18:07:56 +02:00
Tomas Mraz
7d69c07ddf OPENSSL_init_crypto must return 0 when cleanup was done
Fixes #15581

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15589)
2021-06-03 17:42:21 +02:00
bonniegong
effb0dcf86 Check the return value of ASN1_STRING_length
ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution of OPENSSL_malloc().

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15583)
2021-06-03 17:09:02 +02:00
Jon Spillett
f6b6574cd7 80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases
Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)
2021-06-03 16:14:15 +02:00
Richard Levitte
b7d2bd1219 Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst
Fixes #15519

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15584)
2021-06-03 12:46:47 +02:00
Richard Levitte
17213b2ad0 Restore all the ? in util/libcrypto.num
They will become numbers again when beta1 is actually released.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)
2021-06-03 09:18:54 +02:00
Richard Levitte
cbba082fc0 util/mknum.pl: Really allow unset ordinals in development
Any pre-release tag that includes '-dev' is development.  The ordinals
don't need to be finalized before '-dev' is removed (i.e. a release is
made).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15578)
2021-06-03 09:18:54 +02:00
Shane Lontis
ba3ea453b0 Fix errors found by parfait static analyser.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15579)
2021-06-03 16:15:41 +10:00
Pauli
6436030486 rsa: make the maximum key strength check FIPS only.
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.

Fixes #15502

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
2021-06-03 15:32:38 +10:00
yuechen-chen
691c9cd16b Add an EVP demo for signatures using EC
Fixes #14115

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15429)
2021-06-03 15:21:17 +10:00
Pauli
74613e8c97 update checksums
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)
2021-06-03 11:58:18 +10:00
Pauli
c912e0c616 util: update FIPS checksumming script to be more aggressive with whitespace
Fixes #15562

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15574)
2021-06-03 11:56:21 +10:00
Jon Spillett
8a5bd05da8 Add enable-fips to CI configuration
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
2021-06-03 07:33:13 +10:00
Jon Spillett
c29b71c367 Disable tracing within the FIPS module
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
2021-06-03 07:32:54 +10:00
Tomas Mraz
ea82158103 ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE
Fixes #15552

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
2021-06-02 17:17:51 +02:00
Dr. David von Oheimb
4388417157 80-test_cms.t: Replace use of ee-self-signed.pem by more suitable smrsa1.pem
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
2021-06-02 14:49:13 +02:00
Dr. David von Oheimb
07e84e67a6 ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15499)
2021-06-02 14:49:13 +02:00
Pauli
5bcbdee621 list: update to not use XXX_get_number() calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:51 +10:00
Pauli
45e6e5073a store: include internal header
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:51 +10:00
Pauli
d11e555082 doc: fix OSSL_(EN|DE)CODER_get0_name function names
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:51 +10:00
Pauli
bcd5d3a22d libcrypto: make XXX_get_number() internal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:39 +10:00
Pauli
6ea964cd4a doc: make XXX_get_number() internal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:39 +10:00