Commit Graph

29722 Commits

Author SHA1 Message Date
William Edmisten
8c5bff2220 Add support for ISO 8601 datetime format
Fixes #5430

Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
2021-06-11 12:39:46 +02:00
Robbie Harwood
3eb4b5bfe6 Update krb5 module and re-enable pkinit tests
pkinit tests were disabled in cd0aca5320

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15444)
2021-06-11 12:34:16 +02:00
Tomas Mraz
67eacb60a8 Do not depend on the exact exit failure value of dgst app
On most platforms the EXIT_FAILURE is 1 but on NonStop platform
the EXIT_FAILURE is -1 truncated to 255.

Fixes #15633

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15694)
2021-06-11 20:09:30 +10:00
Richard Levitte
c24b3f2eda Clean away remaining Travis related files
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15692)
2021-06-11 10:03:34 +02:00
Tomas Mraz
541d4f1995 fuzz/asn1parse: Use BIO_s_mem() as fallback output
/dev/null is not available everywhere.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:51:14 +02:00
Tomas Mraz
20778ea7da BIO_write_ex: No error only on 0 bytes to write
Fixes #15682

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:51:14 +02:00
Tomas Mraz
451c2a95bd Windows CI: Enable fuzz test in plain build
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:50:55 +02:00
Richard Levitte
814b5133e9 apps/lib/s_socket.c: Alias getpid with _getpid for _WIN32
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15710)
2021-06-11 09:48:54 +02:00
Todd Short
baa47ad3b1 Fix FIPS provider value in docs
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15676)
2021-06-11 09:36:41 +02:00
Richard Levitte
6309b799e9 STORE: Make OSSL_STORE_LOADER_fetch() consistent with all other fetch functions
The argument order was different on this one.

Fixes #15688

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15689)
2021-06-11 09:09:21 +02:00
Tomas Mraz
b19fcc66d3 Document that provider name can be a full path
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:26 +10:00
Tomas Mraz
d475a9efcf dl_name_converter: Avoid unnecessary overallocation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:14 +10:00
Tomas Mraz
6cf811e867 ossl_provider_set_module_path: Prevent potential UAF
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:14 +10:00
Richard Levitte
7afef721ff OpenSSL::Test: If __cwd() is to create the directory, do it early
This is to ensure that abs_path() has an existing directory to look at.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15701)
2021-06-10 17:59:54 +02:00
Shane Lontis
ef0449135c Fix s_server app to not report an error when using a non DH certificate.
Fixes #15071

It always tries loading the cert as DH which previously did not produce
an error. The errors are not suppressed for these operations.
The output now matches previous versions of OpenSSL.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15670)
2021-06-10 17:58:27 +02:00
Richard Levitte
bedda72ff7 OpenSSL::Test: Treat SRCDATA directory specially, as it might not exist
Not all tests come with a SRCDATA directory.  if it doesn't exist, we
simply drop it from the internal table of directories.

OpenSSL::Test::srcdata_dir() and OpenSSL::Test::srcdata_file() may
return undef in that case.  However, recipes shouldn't try to refer to
a non-existing data directory, so if that happens, it's a programming
error and must be corrected.

Fixes #15679

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15700)
2021-06-10 15:24:05 +02:00
Petr Gotthard
586820831a doc: fix OSSL_PARAM_BLD pointers in the example
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15663)
2021-06-10 22:10:26 +10:00
Tomas Mraz
20e80ad1bc store: Avoid spurious error from decoding at EOF
Fixes #15596

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15661)
2021-06-10 11:56:28 +02:00
Arran Cudbard-Bell
726f92e016 Enable ssl-trace by default
There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15665)
2021-06-10 09:42:12 +01:00
Todd Short
25959e04c3 Optimize session cache flushing
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)
2021-06-10 18:32:25 +10:00
Tomas Mraz
de5a0198b2 Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()
Fixes #15647

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15648)
2021-06-10 18:27:15 +10:00
Pauli
5a9dbfc58a err: clear flags better when clearing errors.
An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.

Fixes #12530

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15667)
2021-06-10 18:11:45 +10:00
Richard Levitte
5ac6d7d21b APPS: Restore the possibility to combine -pubout with -text
This applies to the 'openssl pkey' command.

Fixes #15645

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15658)
2021-06-10 08:34:09 +02:00
Pauli
b6298a7f8d util: convert SHA* one shots back to being functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Pauli
1dc8eb5be0 changes: fix woring that mentions SHA* one shot functions are deprecated
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Pauli
807bb42554 sha: convert SHA one shot macros back to being functions
Fixes #15655

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Richard Levitte
ef2194c4ad DECODER & ENCODER: Add better tracing
Now that we have functions to get the name and properties of the
diverse implementations, we can as well display them for clarity.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:26 +02:00
Richard Levitte
8ea5a6b523 DECODER: Adapt addition of extra decoder implementations
The new PKCS#8 decoder implementation decodes from DER to DER.
OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had to
modify it to walk through all existing decoder implementations, and
filter out those that aren't suitable.
This also turns out to fix the possibility to have more than one extra
decoder implementation that produces the same type of encoding, for
example several different wrapper formats that all decoder into DER.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:19 +02:00
Richard Levitte
6a2b8ff392 Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.

The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:10 +02:00
Dr. David von Oheimb
320fc032b9 25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00
Dr. David von Oheimb
80070e478a test/certs/mkcert.sh: Correct description of geneealt parameters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00
Dr. David von Oheimb
65a97b2c38 25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00
Dr. David von Oheimb
d63053bbdf 80-test_cmp_http.t: Improve the way the test server is launched and killed
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)
2021-06-09 14:03:16 +02:00
Dr. David von Oheimb
ee1d1db824 80-test_cmp_http.t: Simplify and prevent hangs on server not launching/behaving correctly
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)
2021-06-09 14:03:16 +02:00
Rich Salz
f8ab78f6c2 Remove I_CAN_LIVE_WITH_LNK4049
Fixes #9332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15649)
2021-06-09 18:01:22 +10:00
Pauli
1af9b646e8 keymgmt: better detect when a key manager can be reused
Fixes #14159

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15652)
2021-06-09 17:37:44 +10:00
Richard Levitte
1355659bb8 OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()
rel2abs() doesn't clean the path well enough, which may lead to odd
results when calculating new paths.  abs_path() works better for this
sort of thing.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15644)
2021-06-08 21:15:00 +02:00
Matt Caswell
4bf696c1d0 Correctly detect decode errors when checking if a key is supported
If we have an unsupported key type we may get a decode error and
therefore we should detect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
1df8322ce0 Simplify error reporting in X509_PUBKEY_get0()
The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EVP_PKEY.
This is brittle at best and the approach would only work with legacy keys.
We remove this and just report an error directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
33fb6ed3ec Use the fips-and-base.cnf config file in CMP tests
Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
15fd6c235c Mark some priv/public key paris as only available in the default provider
Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
b2f1b36592 Actually use a legacy route in pem_read_bio_key_legacy()
The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
237cb05d34 Just look for "Unable to load Public Key" if no SM2
The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.

With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
29bf83c889 Only use the legacy route to decode a public key if we have to
We should use a provider to decode a SubjectPublicKeyInfo structure if
we can. We should only use the legacy route if we are forcing legacy, or
if an ENGINE is in use.

Fixes #15393
Fixes #15327

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
f8da1d8005 Ensure that we consume all the data when decoding an SPKI
If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
2b049e933a Use the right class/tag when decoding an embedded key
When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only handle the
universal class and don't know how to interpret the implicit tag.
Therefore we modify the data into a form the decoders can handle.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
7834d50fa9 Fix CTLOG_new_from_base64_ex()
Ensure that the libctx/propq are passed to d2i_PUBKEY_ex()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
eaf867011e Fix the expected output of printing certificates
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Tomas Mraz
92b835376a EVP_PKEY_new_raw_private_key: Allow zero length keys
Allocate at least one byte to distinguish a zero length key
from an unset key.

Fixes #15632

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
2021-06-08 22:01:34 +10:00
Larkin Nickle
907720f064 Fix compilation on systems with empty _POSIX_TIMERS
Systems such as Tru64 ship with broken headers that
have _POSIX_TIMERS defined but empty.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15598)
2021-06-08 21:05:21 +10:00