Commit Graph

2462 Commits

Author SHA1 Message Date
Richard Levitte
4701f0a9a0 DESERIALIZER: Rethink password handling
The OSSL_DESERIALIZER API makes the incorrect assumption that the
caller must cipher and other pass phrase related parameters to the
individual desserializer implementations, when the reality is that
they only need a passphrase callback, and will be able to figure out
the rest themselves from the input they get.

We simplify it further by never passing any explicit passphrase to the
provider implementation, and simply have them call the passphrase
callback unconditionally when they need, leaving it to libcrypto code
to juggle explicit passphrases, cached passphrases and actual
passphrase callback calls.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12544)
2020-08-01 11:51:18 +10:00
Dr. David von Oheimb
1202de4481 Add OSSL_CMP_MSG_write(), use it in apps/cmp.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
2020-07-30 20:14:51 +02:00
Dr. David von Oheimb
fafa56a14f Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c
Fixes #12403

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
2020-07-30 20:14:49 +02:00
Dr. David von Oheimb
593d6554f8 Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)
2020-07-30 09:38:08 +02:00
Dr. David von Oheimb
299e0f1eae Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()
Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)
2020-07-30 09:38:08 +02:00
Richard Levitte
072a9fde7d SERIALIZER: Add functions to deserialize into an EVP_PKEY
EVP_PKEY is the fundamental type for provider side code, so we
implement specific support for it, in form of a special context
constructor.

This constructor looks up and collects all available KEYMGMT
implementations, and then uses those names to collect deserializer
implementations, as described in the previous commit.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
2020-07-24 16:32:01 +02:00
Richard Levitte
c3e4c1f325 DESERIALIZER: Add foundation for deserializers
This adds a method OSSL_DESERIALIZER, a deserializer context and basic
support to use a set of serializers to get a desired type of data, as
well as deserializer chains.

The idea is that the caller can call OSSL_DESERIALIZER_CTX_add_serializer()
to set up the set of desired results, and to add possible chains, call
OSSL_DESERIALIZER_CTX_add_extra().  All these deserializers are pushed
on an internal stack.

The actual deserialization is then performed using functions like
OSSL_DESERIALIZER_from_bio().  When performing deserialization, the
inernal stack is walked backwards, keeping track of the deserialized
data and its type along the way, until the data kan be processed into
the desired type of data.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12410)
2020-07-24 16:32:00 +02:00
Shane Lontis
6725682d77 Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
2020-07-24 22:53:27 +10:00
Pauli
41bbba5375 EVP: deprecate the EVP_X_meth_ functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11082)
2020-07-22 20:19:01 +10:00
Gustaf Neumann
490c87110c Align documentation with recommendations of Linux Documentation Project
This change applies the recommendation of the Linux Documentation Project
to the documentation files of OpenSSL. Additionally, util/find-doc-nits
was updated accordingly.

The change follows a suggestion of mspncp on https://github.com/openssl/openssl/pull/12370
and incoporates the requested changes on the pull request

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12460)
2020-07-22 09:15:00 +02:00
Richard Levitte
8eca461731 util/find-doc-nits: Relax check of function declarations in name_synopsis()
The relaxation allows spaces between function name and argument list,
to allow line breaks like this when there are very long names:

    int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

This revealed some other intricaties, such as documented internal
structures with function pointers inside, so a check of open
structures was also added, and they are now simply skipped over.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12494)
2020-07-21 18:52:29 +02:00
Dr. David von Oheimb
174f4a4d6a check-format.pl: Report empty lines only if -s (--sloppy-spc) is not used
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
dc18781550 check-format.pl: Add check for essentially empty line at beginning of file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
43b2e9e008 check-format.pl: Add check for multiples essentially empty lines in a row
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Dr. David von Oheimb
a77571c34f check-format.pl: Allow comment start '/*' after opening '(','[','{'
On this occasion fix uses of the word 'nor'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
2020-07-20 11:17:34 +02:00
Richard Levitte
93e32043cb util/find-doc-nits: relax some SYNOPSIS checks
-   The check that disallowed space before the argument list in a
    function typedef is tentatively removed, allowing this kind of
    construction:

    typedef int (fantastically_long_name_breaks_80char_limit)
        (fantastically_long_name_breaks_80char_limit *something);

-   Accept the following style of function signature:

    typedef TYPE (NAME)(args...)

-   Accept space between '#' and 'defined' / 'undef'

-   Accept other spaces than SPC in argument list comma check,
    allowing declaration with line breaks.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
2020-07-19 18:45:30 +02:00
Richard Levitte
d3cb5904f3 util/find-doc-nits: read full declarations as one line in name_synopsis()
name_synopsis was reading physical SYNOPSIS lines.  This changes it to
consider a declaration at a time, so we treat a C declaration that's
been broken up in several lines as one.

This makes it mandatory to end all C declarations in the SYNOPSIS with
a semicolon.  Those can be detected in two ways:

1.  Parsing an individual .pod file outputs this error:

    doc/man3/SOMETHING.pod:1: Can't parse rest of synopsis:

     int SOMETHING_status(SOMETHING *s)
     int SOMETHING_start(SOMETHING *s)

    (declarations not ending with a semicolon (;)?)

2.  Errors like this:

    doc/man3/SOMETHING.pod:1: SOMETHING_status missing from SYNOPSIS
    doc/man3/SOMETHING.pod:1: SOMETHING_start missing from SYNOPSIS

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12452)
2020-07-19 18:45:30 +02:00
Richard Levitte
1bb78e72b9 Remove util/openssl-update-copyright
It was useful at the time for a one-time run.  However, since it does
its work based on file modification time stamps, and those are
notoriously untrustable in a git checkout, it ends up being harmful.

There is a replacement in OpenSSL's tools repository, which relies on
git history.

Fixes #12462

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12466)
2020-07-19 18:40:53 +02:00
Richard Levitte
b013cf9000 util/mktar.pl: Change 'VERSION' to 'VERSION.dat'
This was forgotten when that file changed name, and that unfortunately
disrupts releases.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12464)
2020-07-16 15:08:30 +02:00
Matt Caswell
660c534435 Revert "kdf: make function naming consistent."
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit 765d04c946.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Matt Caswell
865adf97c9 Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.

This reverts commit d9c2fd51e2.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
2020-07-16 14:21:07 +02:00
Pauli
81ed433cf8 libcrypto.num: engine deprecation updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:28 +02:00
Todd Short
8c2bfd2512 Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
2020-07-16 09:08:21 +02:00
Pauli
ce3080e931 DRBG: rename the DRBG taxonomy.
The existing wording didn't capture the reality of the default setup, this new
nomenclature attempts to improve the situation.

Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12366)
2020-07-14 19:20:11 +10:00
Dr. David von Oheimb
915e7e75a4 util/markdownlint.rb: Add two rule exceptions: MD023 and MD026
exclude_rule 'MD023' # Headers must start at the beginning of the line
exclude_rule 'MD026' # Trailing punctuation in header

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)
2020-07-05 11:29:43 +02:00
Gustaf Neumann
8c1cbc7210 Fix typos and repeated words
CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12320)
2020-07-05 01:49:20 +02:00
Richard Levitte
3a19f1a9dd Configuration and build: Fix solaris tags
The shared_target attrribute for Solaris built with gcc wasn't right
and shared libraries couldn't be properly built.

Fixes #12356

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12360)
2020-07-04 10:38:46 +02:00
Richard Levitte
1cafbb799a util/perl/OpenSSL/config.pm: Fix /armv[7-9].*-.*-linux2/
This entry added the macro B_ENDIAN when it shouldn't have.

Fixes #12332

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12335)
2020-07-04 10:34:58 +02:00
Richard Levitte
b2bed3c6e5 util/perl/OpenSSL/config.pm: move misplaced Windows and VMS entries
OpenSSL::config::guess_system() is supposed to return system triplets.
However, for Windows and VMS, it returned the final OpenSSL config
target instead.  We move the entries for them to the table that
OpenSSL::config::map_guess() uses, so it can properly convert the
input triplet to an OpenSSL config target.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12339)
2020-07-04 10:32:49 +02:00
Dr. David von Oheimb
0d8dbb52e3 Add X509_self_signed(), extending and improving documenation and tests
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
2020-07-01 11:14:54 +02:00
Richard Levitte
bfa684622a util/perl/OpenSSL/config.pm: refactor guess_system()
There's no reason to have two different tables, when we can simply
detect if the tuple elements are code or scalar.  Furthermore, order
is important in some cases, and that order is harder not to say
impossible when maintaining two tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:36 +02:00
Richard Levitte
019e3a0b6b util/perl/OpenSSL/config.pm: remove expand() and use eval
The strings we expand contain other variable references than just
${MACHINE}.  Instead of having to remember what to expand, we simply
evaluate the string as a, well, string.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:36 +02:00
Richard Levitte
e39795af0a util/perl/OpenSSL/config.pm: refactor map_guess()
map_guess() is now table driven, just like get_system().
Additionally, it now takes a config hash table and returns one of its
own.  This way, 'Configure' can pass whatever it has already found to
OpenSSL::config::get_platform(), and easily merge the returned hash
table into its %config.

This also gets rid of variables that we no longer need.  That includes
$PERL and all the $__CNF_ environment variables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
081436bf73 util/perl/OpenSSL/config.pm, Configure: move check of target with compiler
Previously, ./config would check if "$target-$CC", then "$target"
exists and choose the one that does.  This is now moved to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
a3310b182c util/perl/OpenSSL/config.pm: Rework determining compiler information
determine_compiler_settings() has been refactored to:

- find a compiler if none has been given by the user
- allow platform specific overrides, but only when the user didn't
  already specify a desired compiler
- figure out the compiler vendor and version, making sure that the
  version number is deterministic
- gather platform specific compiler information

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
48704cc651 Remove OpenSSL::config::main(), it's not necessary
This also remove all option parsing.  We leave that to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
69aa579e6d util/perl/OpenSSL/config.pm: Prefer POSIX::uname() over piping the command
POSIX::uname() has the advantage to work on non-POSIX systems as well,
such as the Windows command prompt and VMS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
33d5b4a68a util/perl/OpenSSL/config.pm: Don't detect removed directories in
This is much better handled in Configure.

[There's another PR moving this to Configure, so this commit should
eventually disappear because rebase]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Rich Salz
4901b570ba Initial rewrite of config as a Perl module
- Use $^X; to find perl.
- Big re-ordering: Put all variables at the top, move most inline code into
  functions. The heart of the script now basically just calls
  functions to do its work.
- Unify warning text, add -w option
- Don't use needless (subshells)
- Ensure Windows gets a VC-xxx option
- Make config a perl module
- Top-level "config" command-line is a dummy that just calls the module.
  Added module stuff so that it can be called from Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
5a9752756b CORE: Add OPENSSL_CTX_set0_default(), to set a default library context
Applications may want to set their own default library context,
possibly per-thread.  OPENSSL_CTX_set0_default() does that.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)
2020-06-28 10:55:51 +02:00
Pauli
dc4e74ef6c evp_rand: documentation
EVP_RAND, the RNGs and provider-rand.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)
2020-06-24 20:07:46 +10:00
Pauli
5fdaa38feb params: add OSSL_PARAM helpers for time_t.
POSIX mandates that time_t is a signed integer but it doesn't specify the
lenght.  Having wrappers lets uses ignore this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)
2020-06-24 20:05:41 +10:00
Pauli
15dfa092d0 rand: core APIs for provider friendly random.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)
2020-06-24 20:05:41 +10:00
Richard Levitte
3fd16304f4 Missing documentation missing, let's note that down
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12125)
2020-06-22 23:47:12 +02:00
Richard Levitte
c4de5d22aa util/find-doc-nits: Modernise printem()
It wasn't up to date with the new variables used to track information
on what's documented, what's in the .num files and what's in the
"missing" files.

Fixes #12117

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12125)
2020-06-22 23:47:11 +02:00
Richard Levitte
e3ce33b3b5 util/find-doc-nits: Do not read "missing" files when -u is given
Fixes #12117

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12125)
2020-06-22 23:47:11 +02:00
Dr. David von Oheimb
11baa470a2 Fix CMP -days option range checking and test failing with enable-ubsan
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
2020-06-22 16:39:26 +02:00
Matt Caswell
2da8d4eb28 Add more complete support for libctx/propq in the EC code
Renames some "new_ex" functions to "new_with_libctx" and ensures that we
pass around the libctx AND the propq everywhere.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12159)
2020-06-19 10:34:58 +01:00
Matt Caswell
11a1b341f3 Make EVP_PKEY_CTX_[get|set]_ec_paramgen_curve_name more generic
We rename these function to EVP_PKEY_CTX_get_group_name and
EVP_PKEY_CTX_set_group_name so that they can be used for other algorithms
other than EC.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
2020-06-19 10:19:31 +01:00
Matt Caswell
82ec09ec6d Add the OSSL_PROVIDER_get_capabilities() API function
Provide a function to applications to query the capabilities that a
provider can perform.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
2020-06-19 10:19:31 +01:00
haykam821
6f72b210b2 Remove whitespace from 'white space'
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12161)
2020-06-19 07:59:46 +02:00
Dr. David von Oheimb
e98c7350bf Improve BIO_socket_wait(), BIO_wait(), BIO_connect_retry(), and their docs
Add/extend range check for 'fd' argument of BIO_socket_wait() and bio_wait()
Correct nap time calculations in bio_wait(), thus correcting also BIO_wait()
Update a type cast from 'unsigned long' to 'unsigned int'
Extend the comments and documentation of BIO_wait()

Rename BIO_connect_retry() to BIO_do_connect_retry()
Make its 'timeout' argument < 0 lead to BIO_do_connect() tried only once
Add optional 'nap_milliseconds' parameter determining the polling granularity
Correct and generalize the retry case checking
Extend the comments and documentation of BIO_do_connect_retry()

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11986)
2020-06-16 18:51:39 +02:00
Pauli
d9c2fd51e2 The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*
functions are now EVP_MAC functions, usually with ctx in their names.

Before 3.0 is released, the names are mutable and this prevents more
inconsistencies being introduced.

There are no functional or code changes.
Just the renaming and a little reformatting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11997)
2020-06-11 11:16:37 +10:00
Pauli
765d04c946 kdf: make function naming consistent.
The EVP_KDF_CTX_* functions have been relocated to the EVP_KDF_* namespace
for consistency.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11996)
2020-06-11 11:14:21 +10:00
Dr. David von Oheimb
317ffa576b run_tests.pl: Add options for focussing output on failed (sub-)tests
VERBOSE_FAILURES_ONLY (VFO): verbose output only of failed (sub-)tests
VERBOSE_FAILURES_PROGRESS (VFP): in addition summary for passed tests
This adds a workaroud for TAP::Parser not coping well with indentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12088)
2020-06-10 11:15:38 +02:00
Matt Caswell
d01d375264 Implement OSSL_PROVIDER_get0_provider_ctx()
Implement a function which enables us to get hold of the provider ctx
for a loaded provider.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:46 +01:00
Matt Caswell
5f603a280c Enable applications to directly call a provider's query operation
This is useful to get hold of the low-level dispatch tables. This could
be used to create a new provider based on an existing one.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:06 +01:00
Billy Brumley
23ccae80bd Move EC_METHOD to internal-only
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11928)
2020-06-02 11:17:24 +03:00
Tim Hudson
c7f837cfcc undeprecate SSL_CTX_load_verify_locations and X509_STORE_load_locations
The underlying functions remain and these are widely used.
This undoes the deprecation part of PR8442

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12001)
2020-06-01 19:52:23 +10:00
Richard Levitte
329b2a2cde DOCS: add openssl-core_numbers.h(7)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11963)
2020-05-29 08:26:10 +02:00
Richard Levitte
bb90f9fee1 util/mkpod2html.pl: Fix unbalanced quotes
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11969)
2020-05-28 14:00:49 +02:00
Dr. David von Oheimb
c74aaa3920 Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11953)
2020-05-27 14:36:13 +02:00
Dr. David von Oheimb
93f99b681a Fix X509_PUBKEY_cmp(), move to crypto/x509/x_pubkey.c, rename, export, and document it
Fixes #11870

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11894)
2020-05-26 09:35:32 +02:00
Dr. David von Oheimb
6e15b81c34 Move decl of OSSL_CRMF_CERTID_dup from {crmf,cmp}_local.h to include/openssl/crmf.h
fixes #11818

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11911)
2020-05-24 17:39:37 +02:00
Billy Brumley
c2f2db9b6f deprecate EC_POINT_make_affine and EC_POINTs_make_affine
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11874)
2020-05-20 20:10:31 +02:00
Richard Levitte
a7ad40c502 Add OSSL_PROVIDER_do_all()
This allows applications to iterate over all loaded providers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11858)
2020-05-20 11:26:14 +02:00
Billy Brumley
6b4eb93362 deprecate EC precomputation functionality
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11851)
2020-05-19 16:29:37 +03:00
Nikolay Morozov
d9321c09ea Fix small documentation issues
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11835)
2020-05-18 09:34:07 +01:00
Billy Brumley
4fcd15c18a deprecate EC_POINTs_mul function
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11807)
2020-05-16 17:20:37 +01:00
Rich Salz
43a70f0202 Fix all MD036 (emphasis used instead of heading)
The main fixes were errors in itemized lists "*)" instead of "*"

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11770)
2020-05-15 20:49:40 +02:00
Matt Caswell
454afd9866 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11839)
2020-05-15 14:09:49 +01:00
Nicolas Vigier
11d7d90344 If SOURCE_DATE_EPOCH is defined, use it for copyright year
Using the date from SOURCE_DATE_EPOCH instead of the current date makes
it possible to reproduce a build that was built on a different year:
https://reproducible-builds.org/specs/source-date-epoch/

This is fixing an issue we had while building Tor Browser:
https://trac.torproject.org/projects/tor/ticket/33535

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11296)
2020-05-15 11:43:31 +01:00
Richard Levitte
e25761b10d EVP: Refactor the RSA-PSS key generation controls for providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)
2020-05-14 12:17:09 +02:00
Nikolay Morozov
c4e3a72720 Add documentation for ASN1_INTEGER_new() and ASN1_INTEGER_free()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11795)
2020-05-14 09:31:24 +03:00
Dr. David von Oheimb
63f1883dca Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert()
Also update documentation and example code in openssl-cmp.pod.in

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
143be4748e Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
2020-05-13 19:42:00 +02:00
Richard Levitte
6ab6ecfd6d OSSL_STORE: Make it possible to attach an OSSL_STORE to an opened BIO
This capability existed internally, and is now made public.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11756)
2020-05-13 18:51:14 +02:00
Rich Salz
4ef0ddc9d8 travis: enable markdownlint checks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11739)
2020-05-08 16:22:01 +02:00
Jakub Zelenka
2b5e12f509 Add documentation for CMS_EnvelopedData_create()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11529)
2020-05-07 10:55:57 +03:00
Shane Lontis
31b069ecea Remove legacy FIPS_mode functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11680)
2020-05-07 16:08:18 +10:00
Dr. David von Oheimb
278260bfa2 Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc.
Add X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
and X509_VERIFY_PARAM_get1_ip_asc() to support this,
as well as the internal helper function ipaddr_to_asc(), which
is used also for simplifying other IP address output functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11693)
2020-05-05 10:27:28 +02:00
Matt Caswell
1c4f340dd3 Make EVP_new_raw_[private|public]_key provider aware
We also introduce variants which are OPENSSL_CTX aware

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11635)
2020-05-04 09:30:55 +01:00
Richard Levitte
6d81bb2676 util/perl/OpenSSL/OID.pm: remove the included unit test
The unit test uses features that appeared in perl 5.12, and is
therefore a source of trouble when building.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11704)
2020-05-03 06:05:27 +02:00
Shane Lontis
e0624f0d70 Add default property API's to enable and test for fips
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11239)
2020-05-02 14:17:54 +10:00
Benjamin Kaduk
e908f292de make update for SSL_new_session_ticket
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11416)
2020-05-01 15:19:23 -07:00
Pauli
588d5d01fe Undeprecate DH, DSA and RSA _bits() functions.
These were deemed information and useful and that they should not be
deprecated.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11669)
2020-04-30 14:51:37 +10:00
Pauli
3873887e89 params: change OSSL_PARAM_set_unmodified() to operate on a params array
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11601)
2020-04-25 18:46:32 +10:00
Rich Salz
852c2ed260 In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this.  Most of all, ParseC needed to be more
consistent.  The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns.  There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
2020-04-24 16:42:46 +02:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Pauli
8d5fb64852 params: add functionality to test if an OSSL_PARAM has been set.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11588)
2020-04-22 13:56:44 +10:00
Billy Brumley
07caec83b8 [crypto/ec] deprecate Jprojective_coordinates_GFp functions
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11527)
2020-04-22 02:06:50 +03:00
Dirk-Willem van Gulik
c72e59349f Add setter equivalents to X509_REQ_get0_signature
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10563)
2020-04-21 16:52:50 +02:00
Richard Levitte
33df1cfdd5 DOC: Refactor provider-keymgmt(7) to give the keytypes their own pages
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11546)
2020-04-20 08:56:05 +10:00
Pauli
ccefc3411e dhparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:38 +10:00
Matt Caswell
0820217441 Create a libctx aware X509_verify_ex()
This is the same as X509_verify() except that it takes a libctx and propq
parameter and signature verification is done using those.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
2020-04-16 14:19:51 +01:00
Shane Lontis
7165593ce5 Add DH keygen to providers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11332)
2020-04-16 01:14:00 +10:00
Shane Lontis
b03ec3b5d6 Add DSA keygen to provider
Moved some shared FFC code into the FFC files.
Added extra paramgen parameters for seed, gindex.
Fixed bug in ossl_prov util to print bignums.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11303)
2020-04-15 21:02:52 +10:00
Matt Caswell
137b274aee Document the new libctx aware private key functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11494)
2020-04-15 11:24:13 +01:00
Matt Caswell
1531241c54 Teach PEM_read_bio_PrivateKey about libctx
Now that d2i_PrivateKey_ex() and other similar functions exist we should
use it when loading a PEM PrivateKey.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11494)
2020-04-15 11:24:13 +01:00
Matt Caswell
472a88b79e Teach d2i_PrivateKey et al about libctx
The Ed448 private key decoding makes algorithm fetches. Therefore we teach
d2i_PrivateKey et al about libctx and make sure it is passed through the
layers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11494)
2020-04-15 11:24:13 +01:00
Richard Levitte
10d756a70e EC: Refactor EVP_PKEY_CTX curve setting macros for param generation
The macros are converted to functions, and are modified to support
provider implementations.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11328)
2020-04-15 11:04:28 +02:00
Dr. Matthias St. Pierre
9bf475fcf3 mkerr: remove legacy guards from generated error headers
In pull request #9333, legacy guards were added to the generated
error headers, but the mkerr.pl script was not adjusted accordingly.
So the legacy guards were removed by subsequent `make update` calls.

Fixing the mkerr.pl script properly was disproportionately complicated
by the fact that adding legacy guards only made sense for files which
already existed in version 1.1.1. To keep things simple, it was decided
to drop the legacy guards from the generated headers entirely.

Fixes #10569

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11541)
2020-04-15 10:05:42 +02:00
Aaron Thompson
ff1f7cdeb1 Add ex_data to EVP_PKEY.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11515)
2020-04-14 17:58:17 +03:00
Richard Levitte
e32e00ab20 Initialize files that declare internal symbols
util/other-internal.syms is like util/other.syms, but for internal symbols.
Likewise, util/missingcrypto-internal.txt and util/missingssl-internal.txt
are like util/missingcrypto.txt and util/missingssl.txt

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11476)
2020-04-11 15:51:43 +02:00
Richard Levitte
8270c4791d Rework util/find-doc-nits to distinguish internal documentation
We didn't really distinguish internal and public documentation, or
matched that with the state of the documented symbols.  we therefore
needed to rework the logic to account for the state of each symbol.

To simplify things, and make them consistent, we load all of
util/*.num, util/*.syms and util/missing*.txt unconditionally.

Also, we rework the reading of the manuals to happen only once (or
well, not quite, Pod::Checker reads from file too, but at the very
least, our script isn't reading the same file multiple times).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11476)
2020-04-11 15:51:43 +02:00
Jake Maynard
eacd30a703 Add manpage entry for X509_check_purpose()
Fixes #10263

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10301)
2020-04-11 11:26:58 +01:00
Matt Caswell
d4b2bfbade Make the CT code library context aware
Add the new functions CTLOG_STORE_new_with_libctx(),
CTLOG_new_with_libctx() and CTLOG_new_from_base64_with_libctx() to pass
in the library context/property query string to use a library context
is to be used.

We also add the function CT_POLICY_EVAL_CTX_new_with_libctx() to enable
the creation of a CT_POLICY_EVAL_CTX to be associated with a libctx and
property query string.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11483)
2020-04-09 14:51:48 +01:00
Richard Levitte
8519b244bc OpenSSL::OID: Don't use List::Util
It turns out that the pairwise functions of List::Util came into perl
far later than 5.10.0.  We can't use that under those conditions, so
must revert to a quick internal implementation of the functions we're
after.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11503)
2020-04-09 12:10:24 +02:00
Matt Caswell
1143c27be1 Add X509_STORE_CTX_new_with_libctx()
Make it possible to create an X509_STORE_CTX with an associated libctx
and propq.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11457)
2020-04-08 23:56:27 +01:00
Richard Levitte
c2041da8c1 EVP & TLS: Add necessary EC_KEY data extraction functions, and use them
libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data
from the EC_KEY.  We replace that with internal EVP_PKEY functions.

This may or may not be refactored later on.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11358)
2020-04-08 15:30:25 +02:00
Richard Levitte
4f76d62f23 EVP: add EVP_PKEY_is_a() and EVP_PKEY_can_sign()
EVP_PKEY_is_a() is the provider side key checking function corresponding
to checking EVP_PKEY_id() or an EVP_PKEY against macros like EVP_PKEY_EC.
It also works with legacy internal keys.

We also add a warning indoc/man3/EVP_PKEY_set1_RSA.pod regarding the
reliability of certain functions that only understand legacy keys.

Finally, we take the opportunity to clean up doc/man3/EVP_PKEY_set1_RSA.pod
to better conform with man-page layout norms, see man-pages(7) on Linux.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11358)
2020-04-08 15:29:14 +02:00
Richard Levitte
1d39620b34 PROV: Add the beginning of a DER writing library
This library is meant to be small and quick.  It's based on WPACKET,
which was extended to support DER writing.  The way it's used is a
bit unusual, as it's used to write the structures backward into a
given buffer.  A typical quick call looks like this:

    /*
     * Fill in this structure:
     *
     * something ::= SEQUENCE {
     *     id OBJECT IDENTIFIER,
     *     x [0] INTEGER OPTIONAL,
     *     y [1] BOOLEAN OPTIONAL,
     *     n INTEGER
     * }
     */
    unsigned char buf[nnnn], *p = NULL;
    size_t encoded_len = 0;
    WPACKET pkt;
    int ok;

    ok =   WPACKET_init_der(&pkt, buf, sizeof(buf)
        && DER_w_start_sequence(&pkt, -1)
        && DER_w_bn(&pkt, -1, bn)
        && DER_w_boolean(&pkt, 1, bool)
        && DER_w_precompiled(&pkt, -1, OID, sizeof(OID))
        && DER_w_end_sequence(&pkt, -1)
        && WPACKET_finish(&pkt)
        && WPACKET_get_total_written(&pkt, &encoded_len)
        && (p = WPACKET_get_curr(&pkt)) != NULL;

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11450)
2020-04-07 11:16:56 +02:00
Richard Levitte
77de6bb38d Add perl support to parse and DER encode ASN.1 OID specs
We have an old OID database that's not as readable as would be
desired, and we have spots with hand coded DER for well known OIDs.

The perl modules added here give enough support that we can parse
OBJECT IDENTIFIER definitions and encode them as DER.

OpenSSL::OID is a general OID parsing and encoding of ASN.1
definitions, and supports enough of the X.680 syntax to understand
what we find in RFCs and similar documents and produce the DER
encoding for them.

oids_to_c is a specialized module to convert the DER encoding from
OpenSSL::OID to C code.  This is primarily useful in file templates
that are processed with util/dofile.pl.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11450)
2020-04-07 11:16:56 +02:00
Dr. David von Oheimb
4b1fe471ac HTTP client: make server/proxy and port params more consistent; minor other improvements
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)
2020-04-02 18:31:06 +02:00
Dr. David von Oheimb
afe554c2d2 Chunk 10 of CMP contribution to OpenSSL: CMP http client and related tests
Also improve the generic HTTP client w.r.t. proxy and no_proxy options.

    Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
    Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
    Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
    Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11404)
2020-04-02 18:17:00 +02:00
Shane Lontis
96ebe52e89 Add EVP_PKEY_gettable_params support for accessing EVP_PKEY key data fields
Currently only RSA, EC and ECX are supported (DH and DSA need to be added to the keygen
PR's seperately because the fields supported have changed significantly).

The API's require the keys to be provider based.

Made the keymanagement export and get_params functions share the same code by supplying
support functions that work for both a OSSL_PARAM_BLD as well as a OSSL_PARAM[].
This approach means that complex code is not required to build an
empty OSSL_PARAM[] with the correct sized fields before then doing a second
pass to populate the array.

The RSA factor arrays have been changed to use unique key names to simplify the interface
needed by the user.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11365)
2020-04-01 15:51:18 +10:00
Matt Caswell
33328581b8 Add the X509v3_cache_extensions() function
Various functions cause the results of processing extensions to be
cached. The processing itself requires a libctx, and so this implicit
caching means that the default ctx is used which can lead to failures.
By explicitly caching the extensions we can specify the libctx to be used.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)
2020-03-30 14:54:37 +01:00
Pauli
6d4e6009d2 Param build: make structures opaque.
Since this is public, it is best to make the underlying structure opaque.
This means converting from stack allocation to dynamic allocation for all
usages.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)
2020-03-28 12:27:22 +10:00
Pauli
be19d3caf0 NEWS: note OSSL_PARAM_BLD API as public.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)
2020-03-28 12:27:22 +10:00
Matt Caswell
4c106e20ef Document various SRP related APIs
This includes the newly added *_ex() variants that take a libctx/property
query string.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)
2020-03-27 11:30:55 +00:00
Matt Caswell
e85982c7a9 Make SRP library context aware
In order for the TLS SRP tests to pass when using a non-default library
context the underlying SRP calls need to be library context aware.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)
2020-03-27 11:29:24 +00:00
Matt Caswell
be6aeda647 Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()
OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and property
query string is used to fetch that algorithm so we introduce
OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to
speicfy the library context and propery query string explicitly.

OCSP_RESPID_match() matches with certificates based on the SHA1 hash.
Therefore for the same reason we introduce OCSP_RESPID_match_ex().

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)
2020-03-27 11:20:39 +00:00
Richard Levitte
8243d8d1a1 EVP: Add EVP_PKEY_set_type_by_keymgmt() and use it
This function intialises an EVP_PKEY to contain a provider side internal
key.

We take the opportunity to also document the older EVP_PKEY_set_type()
and EVP_PKEY_set_type_str().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)
2020-03-25 17:01:10 +01:00
Dr. David von Oheimb
7e765f46a6 Chunk 9 of CMP contribution to OpenSSL: CMP client and related tests
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11300)
2020-03-25 14:10:18 +01:00
Nikolay Morozov
71f852802f Issuer Sign Tool extention support
Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)
2020-03-25 15:33:53 +03:00
Richard Levitte
5f1adadce1 util/wrap.pl: Correct exit code when signalled
On Unix, a caught signal that exits the process does so with an exit
code that is 'signal | 128'.  This modifies util/wrap.pl to mimic
that.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11379)
2020-03-25 10:51:21 +01:00
Shane Lontis
22e27978b2 Add support for passing the libctx to the config loader
The self tests for the fips module are triggered on startup and they need to know the
core's libctx in order to function correctly. As the provider can be autoloaded via configuration
it then needs to propagate the callers libctx down to the provider via the config load.

Note that OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, ..) is still called, but will only load the default
configuration if the OPENSSL_CONF environment variable is set.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11240)
2020-03-20 20:25:39 +10:00
David von Oheimb
ad090d57e2 make err() message strings of find-doc-nits consistently start with uppercase letters
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11092)
2020-03-18 14:08:29 +01:00
David von Oheimb
bc6ca4cbea add line and file info to 'Malformed line' error msg on *.num files in make-doc-nits
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11092)
2020-03-18 14:08:29 +01:00
Dr. David von Oheimb
ae8483d24d Rename OSSL_{d2i,i2d}_CMP_MSG_bio to {d2i,id2}_OSSL_CMP_MSG_bio
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11307)
2020-03-18 13:53:42 +01:00
Dr. David von Oheimb
90a7c90500 fix false positive of check-format.pl regarding '#if' on preceding line; extend negative tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)
2020-03-18 13:43:36 +01:00
Dr. David von Oheimb
aed723f1e4 make util/check-format.pl script executable
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)
2020-03-18 13:43:36 +01:00
Dr. David von Oheimb
38e497818e fix false positive of check-format.pl reporting '{1 stmt}' after multi-line 'if(expr)'
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)
2020-03-18 13:43:36 +01:00
Richard Levitte
70a7dd6f96 X509: Rename X509_set0_sm2_id() and friends
- X509_set0_sm2_id() -> X509_set0_distinguishing_id()
- X509_get0_sm2_id() -> X509_get0_distinguishing_id()
- X509_REQ_set0_sm2_id -> X509_REQ_set0_distinguishing_id()
- X509_REQ_get0_sm2_id -> X509_REQ_get0_distinguishing_id()

The reason for this rename is that the SM2 ID isn't really a unique
SM2 data item, but rather a re-use of the Distinguished that is
defined in ISO/IEC 15946-3 as well as in FIPS 196, with no special
attribution toward any algorithm in particular.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)
2020-03-15 19:42:04 +01:00
Richard Levitte
2972af109e PROV: Add RSA functionality for key generation
This includes added support in legacy controls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:02 +01:00
Richard Levitte
6292475573 EVP: Add new domparams and key generation functionality
The following functions are added:

EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl()
EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen()

These functions are made to work together with already existing domparams
and key generation functionality: EVP_PKEY_CTX_new_provided(),
EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:01 +01:00
Rich Salz
4b5371913e DOCS: Use "command" not "tool" or "utility"
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11123)
2020-03-11 06:17:17 +01:00
Dr. David von Oheimb
44387c9000 Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
62dcd2aa17 Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Richard Levitte
2f3a709807 DOCS: Add missing documentation in util/missingcrypto.txt
These lines will be taken away as documentation moves from diverse
provider operation interface manuals to implementation specific docs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:32:07 +01:00
Dr. David von Oheimb
99a16e0459 Renew and extend the tool for checking adherence to C coding style rules
aims at checking most of https://www.openssl.org/policies/codingstyle.html
and various requirements not yet explicitly stated there - see also #10725

add util/check-format.pl and its self-tests in
util/check-format-test-{positives,negatives}.c
remove util/openssl-format-source

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10363)
2020-03-09 11:03:21 +01:00
Richard Levitte
5c33a6ba65 util/wrap.pl: do not look at EXE_SHELL
Acting on EXE_SHELL was a bit over the top, especially in light of
instructions like this (from NOTES.VALGRIND):

    EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"

Fixes #11255

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11258)
2020-03-09 10:45:42 +01:00
Pauli
6bd4e3f231 cmdline app: add provider commandline options.
Add a -provider option to allow providers to be loaded. This option can be
specified multiple times.

Add a -provider_path option to allow the path to providers to be specified.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11167)
2020-03-07 11:46:48 +10:00
Rich Salz
433deaffce Use .cnf for config files, not .conf
The default is openssl.cnf  The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (except for Configurations) to foo.cnf

Fixes #11174

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)
2020-03-06 18:25:13 +01:00
Dmitry Belyavskiy
348900774c Documenting newly added CMS modification
Documented CMS-related API functions.
Documented flags added to openssl-cms command

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)
2020-03-03 16:34:40 +03:00
Dmitry Belyavskiy
71434aed0d Implementation of Russian GOST CMS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10904)
2020-03-03 16:34:40 +03:00
Shane Lontis
47c239c6b8 Add pairwise consistency self tests to asym keygenerators
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10952)
2020-03-03 14:02:36 +10:00
Nikolay Morozov
6103f39c0d x509v3 subjectSignTool extention support
Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11093)
2020-02-28 18:01:16 +03:00
Richard Levitte
1dfdbd5bf6 Fix util/mktar.sh to use the new VERSION information
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11190)
2020-02-28 12:19:16 +01:00
Richard Levitte
12d99aac97 Deprecate ASN1_sign(), ASN1_verify() and ASN1_digest()
These are old functions that fell out of use with OpenSL 0.9.7.
It's more than time to deprecate them.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11161)
2020-02-27 23:21:14 +01:00