Commit Graph

29840 Commits

Author SHA1 Message Date
Shane Lontis
42e97dde80 Add missing NULL check in OSSL_DECODER_from_bio().
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15733)
2021-06-15 17:36:42 +10:00
Matt Caswell
f77208693e Avoid excessive OSSL_DECODER_do_all_provided calls
OSSL_DECODER_CTX_add_extra was calling OSSL_DECODER_do_all_provided in a
loop which was resulting in a large number of calls. Since
OSSL_DECODER_do_all_provided is quite "heavy" this was causing performance
issues.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15716)
2021-06-14 10:05:50 +01:00
Matt Caswell
8c7c1c84cb Add a generic SubjectPublicKeyInfo decoder
Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.

Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.

Fixes #15646

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)
2021-06-14 09:43:01 +01:00
Shane Lontis
1c49be8673 Fix DH/DHX named groups to not overwrite the private key length.
The only reason(s) the DH private key length should be set are:
(1) The user sets it during key generation via EVP_PKEY_CTX_set_params
    using OSSL_PKEY_PARAM_DH_PRIV_LEN.
(2) When loading a PKCS3 (DH) key the optional value
    'privateValueLength' is set.

Now that the named groups contain a value for 'q' there is no reason to
automatically overwrite the private key length.

Issue detected by @davidmakepeace

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15695)
2021-06-14 09:21:12 +10:00
Tomas Mraz
243af566e4 When linking to static libssl always link to static libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15714)
2021-06-14 09:21:06 +10:00
Tomas Mraz
eaa39eb678 Do not duplicate symbols between libcrypto and libssl in static builds
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15714)
2021-06-14 09:21:05 +10:00
Tomas Mraz
cdf2986a70 Add -latomic only for architectures where needed
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15640)
2021-06-14 09:19:57 +10:00
Tomas Mraz
d049485cfb Avoid duplicating prov_running.o in libdefault and libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15704)
2021-06-14 09:18:41 +10:00
Richard Levitte
e2217b44f4 APPS: Remove an unreachable statement in s_client.c
A Solaris compiler complains:

    "apps/s_client.c", line 2994: statement not reached

It takes a bit of scrutiny to see that this is true, on all platforms.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15719)
2021-06-13 21:48:18 +02:00
Bernd Edlinger
0051746e03 Add AES consttime code for no-asm configurations
This adds optional constant time support for AES
when building openssl for no-asm.

Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME

This is by default enabled.

[extended tests]

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10828)
2021-06-13 06:36:48 +02:00
Pauli
3614d94d5f ci: run the on pull request CIs on push to master
This will help catch problems caused by merging.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15711)
2021-06-12 23:06:22 +10:00
Dr. David von Oheimb
49a54634ec d2i_X509: revert calling X509v3_cache_extensions()
Fixes #13754

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15705)
2021-06-12 10:37:04 +02:00
Richard Levitte
25eeab019c Windows GitHub CI: Introduce --strict-warnings
This involves making a more comprehensive matrix for the different
architectures we build for.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15709)
2021-06-12 14:41:51 +10:00
Richard Levitte
dd53c29793 Windows Github CI: test in Windows 2016 as well
This brings an older version of MSVC, which may bring some "interesting"
failures.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15709)
2021-06-12 14:41:51 +10:00
Richard Levitte
773e67ab82 Building: Add necessary dependencies for linker scripts and .rc files
These files depend on the data from configdata.pm, so need a dependency
on that one to always be properly updated.  The same goes for .rc files.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15717)
2021-06-11 17:22:44 +02:00
Richard Levitte
4a73938756 Configure: Allow spaces around '=' in all build.info statements
This was allowed already for some statements, but not consistently for all.

Fixes #15684

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15691)
2021-06-11 15:45:06 +02:00
Dr. David von Oheimb
8ccbf00d17 Rename OSSL_HTTP_set_request() to OSSL_HTTP_set1_request() for clarity
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15697)
2021-06-11 14:41:20 +02:00
Dr. David von Oheimb
95c0b295de HTTP client: Fix GET request handling when rctx is reused (keep-alive)
This also updates the documentation of OSSL_HTTP_REQ_CTX_set1_req().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15697)
2021-06-11 14:41:20 +02:00
William Edmisten
8c5bff2220 Add support for ISO 8601 datetime format
Fixes #5430

Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
2021-06-11 12:39:46 +02:00
Robbie Harwood
3eb4b5bfe6 Update krb5 module and re-enable pkinit tests
pkinit tests were disabled in cd0aca5320

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15444)
2021-06-11 12:34:16 +02:00
Tomas Mraz
67eacb60a8 Do not depend on the exact exit failure value of dgst app
On most platforms the EXIT_FAILURE is 1 but on NonStop platform
the EXIT_FAILURE is -1 truncated to 255.

Fixes #15633

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15694)
2021-06-11 20:09:30 +10:00
Richard Levitte
c24b3f2eda Clean away remaining Travis related files
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15692)
2021-06-11 10:03:34 +02:00
Tomas Mraz
541d4f1995 fuzz/asn1parse: Use BIO_s_mem() as fallback output
/dev/null is not available everywhere.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:51:14 +02:00
Tomas Mraz
20778ea7da BIO_write_ex: No error only on 0 bytes to write
Fixes #15682

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:51:14 +02:00
Tomas Mraz
451c2a95bd Windows CI: Enable fuzz test in plain build
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:50:55 +02:00
Richard Levitte
814b5133e9 apps/lib/s_socket.c: Alias getpid with _getpid for _WIN32
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15710)
2021-06-11 09:48:54 +02:00
Todd Short
baa47ad3b1 Fix FIPS provider value in docs
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15676)
2021-06-11 09:36:41 +02:00
Richard Levitte
6309b799e9 STORE: Make OSSL_STORE_LOADER_fetch() consistent with all other fetch functions
The argument order was different on this one.

Fixes #15688

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15689)
2021-06-11 09:09:21 +02:00
Tomas Mraz
b19fcc66d3 Document that provider name can be a full path
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:26 +10:00
Tomas Mraz
d475a9efcf dl_name_converter: Avoid unnecessary overallocation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:14 +10:00
Tomas Mraz
6cf811e867 ossl_provider_set_module_path: Prevent potential UAF
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:14 +10:00
Richard Levitte
7afef721ff OpenSSL::Test: If __cwd() is to create the directory, do it early
This is to ensure that abs_path() has an existing directory to look at.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15701)
2021-06-10 17:59:54 +02:00
Shane Lontis
ef0449135c Fix s_server app to not report an error when using a non DH certificate.
Fixes #15071

It always tries loading the cert as DH which previously did not produce
an error. The errors are not suppressed for these operations.
The output now matches previous versions of OpenSSL.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15670)
2021-06-10 17:58:27 +02:00
Richard Levitte
bedda72ff7 OpenSSL::Test: Treat SRCDATA directory specially, as it might not exist
Not all tests come with a SRCDATA directory.  if it doesn't exist, we
simply drop it from the internal table of directories.

OpenSSL::Test::srcdata_dir() and OpenSSL::Test::srcdata_file() may
return undef in that case.  However, recipes shouldn't try to refer to
a non-existing data directory, so if that happens, it's a programming
error and must be corrected.

Fixes #15679

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15700)
2021-06-10 15:24:05 +02:00
Petr Gotthard
586820831a doc: fix OSSL_PARAM_BLD pointers in the example
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15663)
2021-06-10 22:10:26 +10:00
Tomas Mraz
20e80ad1bc store: Avoid spurious error from decoding at EOF
Fixes #15596

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15661)
2021-06-10 11:56:28 +02:00
Arran Cudbard-Bell
726f92e016 Enable ssl-trace by default
There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15665)
2021-06-10 09:42:12 +01:00
Todd Short
25959e04c3 Optimize session cache flushing
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)
2021-06-10 18:32:25 +10:00
Tomas Mraz
de5a0198b2 Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()
Fixes #15647

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15648)
2021-06-10 18:27:15 +10:00
Pauli
5a9dbfc58a err: clear flags better when clearing errors.
An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.

Fixes #12530

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15667)
2021-06-10 18:11:45 +10:00
Richard Levitte
5ac6d7d21b APPS: Restore the possibility to combine -pubout with -text
This applies to the 'openssl pkey' command.

Fixes #15645

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15658)
2021-06-10 08:34:09 +02:00
Pauli
b6298a7f8d util: convert SHA* one shots back to being functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Pauli
1dc8eb5be0 changes: fix woring that mentions SHA* one shot functions are deprecated
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Pauli
807bb42554 sha: convert SHA one shot macros back to being functions
Fixes #15655

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
2021-06-10 14:18:06 +10:00
Richard Levitte
ef2194c4ad DECODER & ENCODER: Add better tracing
Now that we have functions to get the name and properties of the
diverse implementations, we can as well display them for clarity.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:26 +02:00
Richard Levitte
8ea5a6b523 DECODER: Adapt addition of extra decoder implementations
The new PKCS#8 decoder implementation decodes from DER to DER.
OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had to
modify it to walk through all existing decoder implementations, and
filter out those that aren't suitable.
This also turns out to fix the possibility to have more than one extra
decoder implementation that produces the same type of encoding, for
example several different wrapper formats that all decoder into DER.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:19 +02:00
Richard Levitte
6a2b8ff392 Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.

The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:10 +02:00
Dr. David von Oheimb
320fc032b9 25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00
Dr. David von Oheimb
80070e478a test/certs/mkcert.sh: Correct description of geneealt parameters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00
Dr. David von Oheimb
65a97b2c38 25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15656)
2021-06-09 16:06:10 +02:00