Commit Graph

29840 Commits

Author SHA1 Message Date
Dr. David von Oheimb
d63053bbdf 80-test_cmp_http.t: Improve the way the test server is launched and killed
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)
2021-06-09 14:03:16 +02:00
Dr. David von Oheimb
ee1d1db824 80-test_cmp_http.t: Simplify and prevent hangs on server not launching/behaving correctly
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15642)
2021-06-09 14:03:16 +02:00
Rich Salz
f8ab78f6c2 Remove I_CAN_LIVE_WITH_LNK4049
Fixes #9332

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15649)
2021-06-09 18:01:22 +10:00
Pauli
1af9b646e8 keymgmt: better detect when a key manager can be reused
Fixes #14159

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15652)
2021-06-09 17:37:44 +10:00
Richard Levitte
1355659bb8 OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()
rel2abs() doesn't clean the path well enough, which may lead to odd
results when calculating new paths.  abs_path() works better for this
sort of thing.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15644)
2021-06-08 21:15:00 +02:00
Matt Caswell
4bf696c1d0 Correctly detect decode errors when checking if a key is supported
If we have an unsupported key type we may get a decode error and
therefore we should detect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
1df8322ce0 Simplify error reporting in X509_PUBKEY_get0()
The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EVP_PKEY.
This is brittle at best and the approach would only work with legacy keys.
We remove this and just report an error directly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
33fb6ed3ec Use the fips-and-base.cnf config file in CMP tests
Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
15fd6c235c Mark some priv/public key paris as only available in the default provider
Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
b2f1b36592 Actually use a legacy route in pem_read_bio_key_legacy()
The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:39 +01:00
Matt Caswell
237cb05d34 Just look for "Unable to load Public Key" if no SM2
The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.

With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
29bf83c889 Only use the legacy route to decode a public key if we have to
We should use a provider to decode a SubjectPublicKeyInfo structure if
we can. We should only use the legacy route if we are forcing legacy, or
if an ENGINE is in use.

Fixes #15393
Fixes #15327

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
f8da1d8005 Ensure that we consume all the data when decoding an SPKI
If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
2b049e933a Use the right class/tag when decoding an embedded key
When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only handle the
universal class and don't know how to interpret the implicit tag.
Therefore we modify the data into a form the decoders can handle.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
7834d50fa9 Fix CTLOG_new_from_base64_ex()
Ensure that the libctx/propq are passed to d2i_PUBKEY_ex()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Matt Caswell
eaf867011e Fix the expected output of printing certificates
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
2021-06-08 18:53:28 +01:00
Tomas Mraz
92b835376a EVP_PKEY_new_raw_private_key: Allow zero length keys
Allocate at least one byte to distinguish a zero length key
from an unset key.

Fixes #15632

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
2021-06-08 22:01:34 +10:00
Larkin Nickle
907720f064 Fix compilation on systems with empty _POSIX_TIMERS
Systems such as Tru64 ship with broken headers that
have _POSIX_TIMERS defined but empty.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15598)
2021-06-08 21:05:21 +10:00
Pauli
69807ab8ed evp: avoid some calls to EVP_CIPHER_CTX_get_iv_length() because it's been called already
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:25 +10:00
Pauli
cec8854cc9 evp: fix Coverity 1485670 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:25 +10:00
Pauli
3f617061ec evp: fix Coverity 1485669 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:25 +10:00
Pauli
dacb0d8f79 evp: fix Coverity 1485668 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
9428977994 pkcs12: fix Coverity 1485667 logically dead code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
0341ff9774 evp: fix coverity 1485666 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
042f8f70cb evp: fix improper use of negative value issues
Coverity issues 1485662, 1485663 & 1485664.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
b0a0ab07b4 afalg: fix coverity 1485661 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
6c1d17c802 fix coverity 1485660 improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
37bbe44929 bio: improve error checking fixing coverity 1485659 & 1485665
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
2021-06-08 19:32:17 +10:00
Pauli
95c8a51252 doc: add PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:59:25 +10:00
Pauli
75653c100f doc: build changes for PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
dbf021c20e doc: add build info for cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
b1307e9421 doc: add references to cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
c0fc3fe349 doc: add cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
e748b4fbae doc: improve the cipher life cycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
f7a19d6402 doc-nits: support out of source execution
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
7f0dc8da7d doc: remove empty section
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
8809fdff93 doc: add references to digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
7b9e236177 doc: add digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
618523e728 doc: add digest lifecycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
e4d69413c2 life-cycles: update digest state table
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Daniel Bevenius
178fa72ed5 Add aix64-gcc-as architecture and p2align callback
This commit adds an architecture named aix64-gcc-as which can generate
assembler source code compatible with AIX assembler (as) instead of the
GNU Assembler (gas). This architecture name is then used in a callback
for the .p2align directive which is not available in AIX as.

The motivation for this addition came out of an issue we ran into when
working on upgrading OpenSSL in Node.js. We ran into the following
compilation error on one of the CI machines that uses AIX:

  05:39:05 Assembler:
  05:39:05 crypto/bn/ppc64-mont-fixed.s: line 4: Error In Syntax

This machine is using AIX Version 7.2 and does not have gas installed
and the .p2align directive is causing this error. After asking around if
it would be possible to install GAS on this machine I learned that AIX
GNU utils are not maintained as well as the native AIX ones and we
(Red Hat/IBM) have run into issues with the GNU utils in the past and if
possible it would be preferable to be able to use the AIX native
assembler.

Refs: https://github.com/nodejs/node/pull/38512

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15638)
2021-06-08 18:52:53 +10:00
Tomas Mraz
fccf3dcef4 X509_digest_sig: Handle RSA-PSS and EDDSA certificates
Identify digest from sigalg params for RSA-PSS and fallback
to SHA-256 for EDDSA.

Fixes #15477

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15618)
2021-06-08 09:20:15 +02:00
Dr. David von Oheimb
09345c8cab Move trust-related decls from x509.h.in to x509_vfy.h.in
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:41 +02:00
Dr. David von Oheimb
3cd4e5e73f x509.h.in: extended 'documenting' comment on X509_TRUST_OK_ANY_EKU
This hopefully alleviates the fact that the name is unclear/misleading.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:41 +02:00
Dr. David von Oheimb
f9ac6f6956 Improve the documentation of cert path building and validation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:41 +02:00
Dr. David von Oheimb
2576b9c31c X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:18 +02:00
Dr. David von Oheimb
f1343f45d6 x509_vfy.c: Improve a couple of internally documenting comments
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:18 +02:00
Dr. David von Oheimb
62d2386bf8 x509_trs.c: rename to x509_trust.c and correct comment in trust_compat()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:18 +02:00
Shane Lontis
69e0f8cca6 Fix AIX FIPS DEP.
The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.

The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)
2021-06-08 15:18:00 +10:00
Dr. David von Oheimb
5d43bfa7d5 BIO_write-ex(): Improve behavior in corner cases and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15608)
2021-06-08 15:17:11 +10:00