Commit Graph

26581 Commits

Author SHA1 Message Date
Viktor Dukhovni
7717459892 Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts.  The commands can be repeated to set
bounds of both types.  The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.

SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds.  Previously
attempts to apply bounds to these protocol versions would result in an
error.  Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.

Expected to resolve #12394

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
2020-07-21 16:40:07 -02:00
Richard Levitte
5ac582d949 DOC: Fix SSL_CTX_set_cert_cb.pod and SSL_CTX_set_client_cert_cb.pod
The 'cert_cb' / 'client_cert_cb' arguments had extra, a bit weird
documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12494)
2020-07-21 18:52:29 +02:00
Richard Levitte
8eca461731 util/find-doc-nits: Relax check of function declarations in name_synopsis()
The relaxation allows spaces between function name and argument list,
to allow line breaks like this when there are very long names:

    int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

This revealed some other intricaties, such as documented internal
structures with function pointers inside, so a check of open
structures was also added, and they are now simply skipped over.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12494)
2020-07-21 18:52:29 +02:00
Richard Levitte
904f42509f PROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a
libcommon.a is FIPS agnostic, while libfips.a and libnonfips.a are
FIPS / non-FIPS specific.  Since bio_prov.c checks FIPS_MODULE, it
belongs to the latter.

Along with this, a bit more instruction commentary is added to
providers/build.info.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12486)
2020-07-21 11:52:32 +02:00
Nihal Jere
7e4f01d8ba fixed swapped parameter descriptions for x509
CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12482)
2020-07-21 10:32:13 +03:00
Shane Lontis
9f7bdcf37f Add ERR_raise() errors to fips OSSL_provider_init and self tests.
As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12346)
2020-07-21 16:30:02 +10:00
Shane Lontis
823a113574 Fix API rename issue in shim layer that calls EVP_MAC_CTX_set_params
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12483)
2020-07-21 08:51:18 +10:00
Dimitri John Ledkov
02e14a65fd man3: Drop warning about using security levels higher than 1.
Today, majority of web-browsers reject communication as allowed by the
security level 1. Instead key sizes and algorithms from security level
2 are required. Thus remove the now obsolete warning against using
security levels higher than 1. For example Ubuntu, compiles OpenSSL
with security level set to 2, and further restricts algorithm versions
available at that security level.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12444)
2020-07-20 12:36:47 -07:00
Dr. David von Oheimb
16c6534b96 check-format.pl: Add an entry about it to NEWS.md and to CHANGES.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
174f4a4d6a check-format.pl: Report empty lines only if -s (--sloppy-spc) is not used
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
dc18781550 check-format.pl: Add check for essentially empty line at beginning of file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
43b2e9e008 check-format.pl: Add check for multiples essentially empty lines in a row
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
a77571c34f check-format.pl: Allow comment start '/*' after opening '(','[','{'
On this occasion fix uses of the word 'nor'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Jean-Christophe Fillion-Robin
5304331156 Fix linking against non-system zlib on macOS
This commit ensures the -L/path/to/zlib flag associated with ldflags
property set in "Configurations/00-base-templates.conf" (under "BASE_unix")
is inherited when defining "darwin-common" configuration.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12238)
2020-07-20 09:26:04 +10:00
Shane Lontis
f64f17c3e0 Added missing ';' after methods in the synopsis section of pod files
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12452)
2020-07-19 18:45:30 +02:00
Richard Levitte
93e32043cb util/find-doc-nits: relax some SYNOPSIS checks
-   The check that disallowed space before the argument list in a
    function typedef is tentatively removed, allowing this kind of
    construction:

    typedef int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

-   Accept the following style of function signature:

    typedef TYPE (NAME)(args...)

-   Accept space between '#' and 'defined' / 'undef'

-   Accept other spaces than SPC in argument list comma check,
    allowing declaration with line breaks.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
2020-07-19 18:45:30 +02:00
Richard Levitte
d3cb5904f3 util/find-doc-nits: read full declarations as one line in name_synopsis()
name_synopsis was reading physical SYNOPSIS lines.  This changes it to
consider a declaration at a time, so we treat a C declaration that's
been broken up in several lines as one.

This makes it mandatory to end all C declarations in the SYNOPSIS with
a semicolon.  Those can be detected in two ways:

1.  Parsing an individual .pod file outputs this error:

    doc/man3/SOMETHING.pod:1: Can't parse rest of synopsis:

     int SOMETHING_status(SOMETHING *s)
     int SOMETHING_start(SOMETHING *s)

    (declarations not ending with a semicolon (;)?)

2.  Errors like this:

    doc/man3/SOMETHING.pod:1: SOMETHING_status missing from SYNOPSIS
    doc/man3/SOMETHING.pod:1: SOMETHING_start missing from SYNOPSIS

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
2020-07-19 18:45:30 +02:00
Richard Levitte
43b3ab6f87 Fix typo for SSL_get_peer_certificate()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12468)
2020-07-19 18:43:05 +02:00
Richard Levitte
1bb78e72b9 Remove util/openssl-update-copyright
It was useful at the time for a one-time run.  However, since it does
its work based on file modification time stamps, and those are
notoriously untrustable in a git checkout, it ends up being harmful.

There is a replacement in OpenSSL's tools repository, which relies on
git history.

Fixes #12462

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12466)
2020-07-19 18:40:53 +02:00
Pauli
a85c902125 mac: always pass a non-NULL output size pointer to providers.
The backend code varies for the different MACs and sometimes sets the output
length, sometimes checks the return pointer and sometimes neither.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12458)
2020-07-18 16:54:53 +10:00
Pauli
3fc164e8d1 doc: Fix documentation of EVP_EncryptUpdate().
The documentation was off by one for the length this function could return.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12435)
2020-07-17 22:22:34 +10:00
Pauli
b99c463d78 install: add notes about ignored seed sources in the FIPS provider.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
2020-07-17 22:16:11 +10:00
Pauli
45554b5c71 rand: detect if FIPS approved randomness sources are being used.
This boils down to the operating system sources and RDRAND.
All other sources are not available in the FIPS module.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12325)
2020-07-17 22:16:11 +10:00
Shane Lontis
8e78da0666 Fix trailing whitespace mismatch error when running 02-test_errstr.
Fixes #12449

On a aix7_ppc32 machine the error was of the form
match 'Previous owner died ' (2147483743) with one of ( 'Previous owner died', 'reason(95)' )
Stripping the trailing whitespace from the system error will address this issue.

Suggested fix by @pauldale.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12451)
2020-07-17 13:51:15 +10:00
Dr. David von Oheimb
cb9bb7350d 99-test_fuzz.t: Clean up and re-organize such that sub-tests could be split easily
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12359)
2020-07-16 21:44:26 +02:00
Dr. David von Oheimb
1e76cb002a test/run_tests.pl: In parallel runs, start those tests first that run longest
Also untabify the Perl source file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12359)
2020-07-16 21:44:25 +02:00
Dr. David von Oheimb
0b670a2101 x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.

Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
2020-07-16 15:48:53 +02:00
Dr. David von Oheimb
1337a3a998 Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
2020-07-16 15:48:53 +02:00
Richard Levitte
318565b733 Prepare for 3.0 alpha 6
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2020-07-16 15:23:08 +02:00
Richard Levitte
e70a2d9f13 Prepare for release of 3.0 alpha 5
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2020-07-16 15:22:29 +02:00
Richard Levitte
b013cf9000 util/mktar.pl: Change 'VERSION' to 'VERSION.dat'
This was forgotten when that file changed name, and that unfortunately
disrupts releases.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12464)
2020-07-16 15:08:30 +02:00
Richard Levitte
e39e295e20 Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12463)
2020-07-16 14:47:04 +02:00
Richard Levitte
e4162f86d7 DRBG: Fix the renamed functions after the EVP_MAC name reversal
[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Matt Caswell
660c534435 Revert "kdf: make function naming consistent."
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit 765d04c946.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Matt Caswell
865adf97c9 Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit d9c2fd51e2.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Richard Levitte
8dab4de538 Add latest changes and news in CHANGES.md and NEWS.md
- Reworked test perl framwork for parallel tests
- Reworked ERR codes to make better space for system errors
- Deprecation of the ENGINE API

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12461)
2020-07-16 12:45:02 +02:00
Pauli
ecca5b6e2e capabilities: make capability selection case insensitive.
Everything else to do with algorithm selection and properties is case
insensitive.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12450)
2020-07-16 09:19:24 +02:00
Pauli
81ed433cf8 libcrypto.num: engine deprecation updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:28 +02:00
Pauli
bb95426211 doc: remove unused engine tracing option
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:28 +02:00
Pauli
184fb690fa trace: condition out engine related tracing
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:28 +02:00
Pauli
03445677b9 Document that ENGINE_add_conf_module() was deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:28 +02:00
Pauli
2099f1bb6b Document that exdata for ENGINES is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
1bdab93a62 Document that the ENGINE_[sg]_ex_data() calls are reprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
8b4c89f8d2 RAND: document that the ENGINE RAND override is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
571d2c4dc7 ENGINESDIR: document that this configuration is deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
2d71c9468a doc: document that the engine initialisation options are deprecated.
They can't be removed yet for API compatibility reasons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
9bd8d96c39 deprecate engines in provider code
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
e4468e6d8d deprecate engines in libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
ad8fc6f626 apps: deprecate engines
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00
Pauli
91512a771a deprecate engine from public header files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:27 +02:00