Commit Graph

27614 Commits

Author SHA1 Message Date
Shane Lontis
89cccbea51 Add EVP_KDF-X942 to the fips module
The X942 KDF had been modified so that it supports all optional fields - not
just the fields used by CMS.

As there are 2 types of KDF for X942 - this has been made a bit clearer
by adding an X942KDF-ASN1 alias. X942KDF-CONCAT has also been added as an
alias of X963KDF.

This work was instigated as a result of the ACVP tests optionally being
able to use keybits for the supp_pubinfo field.
Setting the parameter OSSL_KDF_PARAM_X942_USE_KEYBITS to 0 allows this
to be disabled.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13418)
2020-12-02 12:15:05 +10:00
Shane Lontis
8018352457 Fix s390 EDDSA HW support in providers.
Fixes #12476

Note this stopped working when ECX was swapped over to using
providers. The ECX_KEY keygen and exchange were converted, but not the ED
signing support.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/13508)
2020-12-02 12:04:58 +10:00
Pauli
f7f10de305 Print random seed on test failure.
Tests randomisation wasn't reliably printing the seed used on failure in the CIs.

Fixes: #13572

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13573)
2020-12-02 10:46:28 +10:00
Tim Hudson
8758f4e625 Correct system guessing for darwin64-arm64 target
Previously the system guessing logic would incorrectly guess
i686-apple-darwin as the fallback for any unspecified architecture
that is a Darwin target

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13517)
2020-12-02 08:51:52 +10:00
Dr. David von Oheimb
9ab9b16bb7 apps/pkcs12.c: Correct default legacy algs and make related doc consistent
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13534)
2020-12-01 17:50:56 +01:00
Kelvin Lee
9feb2fce65 Fix simpledynamic.c - a typo and missed a header
CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13584)
2020-12-02 00:25:01 +11:00
Richard Levitte
527eb8d294 TEST: Add a simple module loader, and test the FIPS module with it
This very simple module loader is only linked with the standard C
library, so cannot and should not provide any other symbol to the
module it tries to load.  It can thereby be used to verify that the
module it tries to load doesn't have any surprising dependencies when
it's supposed to be self contained.

A test recipe is added to verify the FIPS module with this loader.

Fixes #11020

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13507)
2020-12-01 11:06:03 +01:00
Richard Levitte
9800b1a0da TEST: Break out the local dynamic loading code from shlibloadtest.c
The result is "simpledynamic.c", or "sd" for short.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13507)
2020-12-01 11:06:03 +01:00
Dr. David von Oheimb
1234aa7e41 endecode_test.c: Add warning that 512-bit DH key size is for testing only
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13568)
2020-12-01 07:49:38 +01:00
Dr. David von Oheimb
20f8bc7255 test cleanup: move helper .c and .h files to test/helpers/
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13568)
2020-12-01 07:49:38 +01:00
Dr. David von Oheimb
93a9ffa6c2 remove obsolete test/drbg_cavs_data.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13568)
2020-12-01 07:49:37 +01:00
Dr. David von Oheimb
2de4c87889 remove obsolete test/drbg_extra_test.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13568)
2020-12-01 07:49:37 +01:00
Richard Levitte
172daa7fc7 RSA: correct digestinfo_ripemd160_der[]
A couple of numbers were incorrect.

Fixes #13559

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13562)
2020-11-30 12:42:03 +01:00
Ard Biesheuvel
26217510d2 aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected
by silicon errata #1742098 [0] and #1655431 [1], respectively, where the
second instruction of a AES instruction pair may execute twice if an
interrupt is taken right after the first instruction consumes an input
register of which a single 32-bit lane has been updated the last time it
was modified.

This is not such a rare occurrence as it may seem: in counter mode, only
the least significant 32-bit word is incremented in the absence of a
carry, which makes our counter mode implementation susceptible to these
errata.

So let's shuffle the counter assignments around a bit so that the most
recent updates when the AES instruction pair executes are 128-bit wide.

[0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
[1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13504)
2020-11-30 12:14:54 +01:00
Matt Caswell
cbb85bda0c Fix builds that specify both no-dh and no-ec
Various sections of code assumed that at least one of dh or ec would be
available. We also now also need to handle cases where a provider has
a key exchange algorithm and TLS-GROUP that we don't know about.

Fixes #13536

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13549)
2020-11-30 10:50:13 +00:00
Matt Caswell
9327b5c9c9 Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT
If OPENSSL_SMALL_FOOTPRINT was defined then the CHACHA20-POLY1305
implementation for TLS went down a different codepath that failed to
adjust the payload length to remove the tag.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13513)
2020-11-30 10:37:14 +00:00
Matt Caswell
a07dc8167b Fix instances of pointer addition with the NULL pointer
Addition using the NULL pointer (even when adding 0) is undefined
behaviour. Recent versions of ubsan are now complaining about this, so
we fix various instances.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13513)
2020-11-30 10:37:14 +00:00
Dr. David von Oheimb
5658470ce7 endecode_test.c: Significant speedup in generating DH and DHX keys
Fixes #13495

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13552)
2020-11-29 11:32:54 +01:00
John Baldwin
6568d7a931 Collapse two identical if statements into a single body.
These two bodies should be grouped together anyway as the reason for
the call to BIO_flush() is to permit using BIO_set_ktls_ctrl_msg().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13090)
2020-11-28 18:36:16 -08:00
John Baldwin
410f5bb189 Allow zero-byte writes to be reported as success.
When using KTLS, empty fragments sent as a mitigation for known-IV
weakenesses in TLS 1.0 are sent as writes of 0 bytes.  The TLS header
and trailer are added to the empty fragment by the kernel.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13090)
2020-11-28 18:36:15 -08:00
Richard Levitte
d27a8e922b TEST: Fix path length in test/ossl_store_test.c
The URI length was set to 80 chars, but the URI being built up may
need more space, all depending on the paths used to get to the files
that are to be loaded.  If the result needs more than 80 chars, the
test will fail.

Fixed by using PATH_MAX.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13546)
2020-11-28 21:19:18 +01:00
Liang Liu
bf4cdd4abf [DOC]Fix two broken links in INSTALL.md; Change name of zlib flag to the current one.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13519)
2020-11-28 18:57:12 +10:00
J08nY
be501dd556 README: Move Travis link to .com from .org.
CLA: trivial

Fixes #12423

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13538)
2020-11-28 15:38:12 +10:00
Richard Levitte
edb7afb8fb ERR: drop err_delete_thread_state() TODO marker
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13466)
2020-11-28 15:28:46 +10:00
Richard Levitte
af2f14ace5 ERR: Drop or deprecate dangerous or overly confusing functions
ERR_get_error_line() is deprecated, and ERR_get_error_func() and
ERR_get_error_data() are removed in favor of ERR_get_error_all(),
since they pop the error record, leaving the caller with only partial
error record data and no way to get the rest if the wish.

If it's desirable to retrieve data piecemeal, the caller should
consider using the diverse ERR_peek functions and finish off with
ERR_get_error().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13466)
2020-11-28 15:28:46 +10:00
Matt Caswell
b8fa02e8a4 Fix no-engine
If we specify no-engine then this should cascade to also mean
no-dynamic-engine. The store test was only checking whether
dynamic-engine was disabled, meaning that some tests were failing
in a no-engine build.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13502)
2020-11-27 17:32:03 +00:00
Dr. David von Oheimb
ee46dfbf2c X509_dup: fix copying of libctx and propq using new ASN1_OP_DUP_POST cb operation
Fixes #12680

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12687)
2020-11-27 16:53:32 +01:00
Dr. David von Oheimb
4f7e08c83e asn1t.h: Improve comments documenting ASN1_ITYPE_... and the 'funcs' field
Also move the #define(s) for the ASN1_ITYPE_.. before their first use.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12687)
2020-11-27 16:53:32 +01:00
Richard Levitte
888bdbfd39 EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available
EVP_PKEY_CTX_set_dsa_ functions were only available when DSA was
enabled ('no-dsa' not configured).  However, that makes it impossible
to use these functions with an engine or a provider that happens to
implement DSA.  This change solves that problem by shuffling these
functions to more appropriate places.

Fixes #13529

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13530)
2020-11-27 15:30:51 +01:00
ihsinme
a614af9553 Update bio_ok.c
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13515)
2020-11-27 13:58:59 +01:00
Matt Caswell
90c046be9c Remove d2i_DHparams.pod and move documentation to d2i_RSAPrivateKey.pod
d2i_RSAPrivateKey.pod is the more generic page for these deprecated
functions and provides advice and guidance on how to translate the old
style functions into new ones.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
59d7ad074a Updates the CHANGES.md entry regarding DH deprecation
Extend the existing CHANGES.md entry with information about the
additional functions that have also been deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
c9f71df31b Convert DH deprecations to the new way of deprecating functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
25e49af92a Deprecate more DH functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
d4c2f498a3 Don't test a deprecated function in a no-deprecated build
EVP_PKEY_set1_DH is deprecated so there is no need to test it in a
no-deprecated build.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
bb64795f96 Remove fuzzing of deprecated functions in a no-deprecated build
d2i_DHparams and i2d_DHparam as well as the equivalent DHX functions are
deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
4d8e8a2d37 Deprecate the DHparams and DHxparams PEM routines
The functions return a DH object and therefore need to be deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
5a2674163d Deprecate EVP_PKEY_assign_DH and other similar macros
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
0a68a445ae Deprecate functions for getting and setting DH values in an EVP_PKEY
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Matt Caswell
752419d8f7 Deprecate DH_new as well as i2d_DHparams and d2i_DHparams
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-27 11:04:54 +00:00
Richard Levitte
abcca5078f TEST: Adapt test/errtest for the 'no-err' configuration
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13510)
2020-11-27 12:02:56 +01:00
Richard Levitte
63132c53f9 ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13510)
2020-11-27 12:02:56 +01:00
Shane Lontis
6692343678 Fix no-deprecated configuration
pem_read_depr_test needed to be setup in build info so that it only
exists inside an IF[{- !$disabled{'deprecated-3.0'} -}] block.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13543)
2020-11-27 14:59:18 +10:00
Shane Lontis
719bc0e826 Fix EVP_CIPHER_CTX_set_padding for legacy path
Fixes #13057

When using an engine, there is no cipher->prov so a call to
EVP_CIPHER_CTX_set_padding() returns an error when
evp_do_ciph_ctx_setparams() is called. For the legacy path it needs to
avoid doing the call and just return 1.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13437)
2020-11-27 07:58:01 +10:00
Daniel Bevenius
8dc34b1f57 EVP: don't touch the lock for evp_pkey_downgrade
This commit tries to address a locking issue in evp_pkey_reset_unlocked
which can occur when it is called from evp_pkey_downgrade.

evp_pkey_downgrade will acquire a lock for pk->lock and if successful
then call evp_pkey_reset_unlocked. evp_pkey_reset_unlocked will call
memset on pk, and then create a new lock and set pk->lock to point to
that new lock. I believe there are two problems with this.

The first is that after the call to memset, another thread would try to
acquire a lock for NULL as that is what the value of pk->lock would be
at that point.

The second issue is that after the new lock has been assigned to
pk->lock, that lock is different from the one currently locked so
another thread trying to acquire the lock will succeed which can lead to
strange behaviour. More details and a reproducer can be found in the
Refs link below.

This changes the evp_pkey_reset_unlocked to not touch the lock
and the creation of a new lock is done in EVP_PKEY_new.

Refs:
https://github.com/danbev/learning-libcrypto/blob/master/notes/issues.md#openssl-investigationtroubleshooting
https://github.com/nodejs/node/issues/29817

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13374)
2020-11-26 18:06:06 +01:00
Tomas Mraz
2b407d0508 Documentation improvements for EVP_DigestInit_ex and related functions
Documenting when EVP_MD_CTX_reset() is implicitly called and when
type can be set to NULL.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13402)
2020-11-26 17:39:26 +01:00
Tomas Mraz
5de9863bf3 Fix regression in EVP_DigestInit_ex: crash when called with NULL type
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13402)
2020-11-26 17:39:26 +01:00
Tomas Mraz
8d8dd09b96 Add test for no reset after DigestFinal_ex and DigestFinalXOF
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13402)
2020-11-26 17:39:26 +01:00
Tomas Mraz
39fde64a85 EVP_DigestFinalXOF must not reset the EVP_MD_CTX
It does not do it in legacy path and 1.1.1 so that must not change.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13402)
2020-11-26 17:39:26 +01:00
Matt Caswell
e109aaa979 Fix no-posix-io
The "multi" variable should only be used within HTTP_DAEMON guards.
However there were a few spots where this was not the case, which
causes no-posix-io builds to fail.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13498)
2020-11-26 16:09:12 +00:00