Commit Graph

29483 Commits

Author SHA1 Message Date
Shane Lontis
b9098d4edd Add Docs for EVP_CIPHER-*
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00
Shane Lontis
97aede6846 EVP_CIPHER Documentation updates
EVP_EncryptInit.pod now follows the pattern used in EVP_DigestInit.pod.
i.e.
'=item' is used for methods
PARAMETERS and CONTROLS sections have been added.

The PARAMETERS list has been moved from provider-cipher.pod (this file just
has a link now).
Missing fields were updated.

The CONTROLS shows the mappings to OSSL_PARAM keys.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:28:44 +02:00
Sven Schwermer
29253e1e87 ERR: Rebuild generated engine error files
CLA: trivial

Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15495)
2021-05-28 14:22:45 +02:00
Sven Schwermer
5642882f11 mkerr: Fix string literal conversion
This fixes a compiler warning on clang-1205.0.22.9 when compiling the
generated code as C++11:

ISO C++11 does not allow conversion from string literal to 'char *'
[-Wwritable-strings]

CLA: trivial

Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15495)
2021-05-28 14:22:45 +02:00
Shane Lontis
da5f770ae3 Fix PKCS12_create() so that a fetch error is not added to the error stack.
Fixes #15392

PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail to the EVP_CIPHER_fetch() call, so the fallback to
a legacy algorithm always happens. In this case the error stack should
ignore the fetch error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15473)
2021-05-28 13:54:19 +02:00
Tommy Chiang
6c014da0b2 Fix typo about SSL_CONF_FLAG_CMDLINE
change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15489)
2021-05-28 11:20:20 +02:00
Rich Salz
3e3ad3c548 Fix issues found by md-nits
Fixes #15460

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15461)
2021-05-28 11:14:46 +02:00
Petr Gotthard
32075a1724 Fix memory leak in OSSL_CMP_CTX
The ctx->propq is strdup'ed, so it must be free'd too.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15458)
2021-05-28 11:11:53 +02:00
Rich Salz
a935791d54 Rework and make DEBUG macros consistent.
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.

Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.

Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG

Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.

Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.

Fixes #15357

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)
2021-05-28 10:04:31 +02:00
David Makepeace
6bf3692d31 Fix doc typos.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15483)
2021-05-28 14:03:36 +10:00
Tom Cosgrove
bb97dc508f Initialise OPENSSL_armcap_P to 0 before setting it based on capabilities, not after
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15486)
2021-05-28 10:28:29 +10:00
Tomas Mraz
365d207faa FIPS Checksums: checkout the head of the base repo as pristine
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15503)
2021-05-28 09:11:18 +10:00
Todd Short
e49095f186 Call SSLfatal when the generate_ticket_cb returns 0
Otherwise, the state machine ends up being in a bad state:
```
SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:XXX:
```

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15487)
2021-05-27 11:54:32 -07:00
Tomas Mraz
07fb85cf61 FIPS Checksums CI: use separate directories for the checkouts
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15481)
2021-05-27 15:30:58 +02:00
Tomas Mraz
9fc7a053fc generate_fips_sources: properly include providers/common/der/*.in
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15481)
2021-05-27 15:30:58 +02:00
Juergen Christ
4612eec35d Fix compilation warning with GCC11.
Parameter "header" of ssl3_cbc_digest_record was fixed to a 13 bytes header
but used as a pointer.  This caused a warning about out-of-bounds array access
with GCC 11.

Fixes #15462.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15463)
2021-05-27 20:31:13 +10:00
Pauli
72f62f4408 coverity 1484912: Null pointer dereferences (NULL_RETURNS)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15425)
2021-05-27 20:29:24 +10:00
Pauli
29604f4920 coverity 1484913: Null pointer dereferences (REVERSE_INULL)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15425)
2021-05-27 20:29:14 +10:00
Dr. David von Oheimb
91f2b15f2e TEST: Prefer using precomputed RSA and DH keys for more efficient tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Dr. David von Oheimb
8b893c35da APPS req: Extend the -keyout option to be respected also with -key
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Dr. David von Oheimb
54e8f7259b DOC: Improve description of 'req' app: -new, -newkey, and -keyout options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Shane Lontis
3257179b7a Fix spelling mistake in d2i_PrivateKey.pod
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15423)
2021-05-27 18:51:36 +10:00
Shane Lontis
8cf78d634b Add demo for EC keygen
Fixes #14112

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15423)
2021-05-27 18:51:36 +10:00
jwalch
dcc780cf8d Fix OCSP_sendreq_nbio arg order
Fixes #15470

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15471)
2021-05-27 13:20:38 +10:00
Pauli
422da9bbfb test: test MP genrsa in deprecated builds
These multi-prime tests were omitted when genrsa was deprecated but not
returned when it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
5c99d57ea3 test: add test for key generation strength > RNG strength
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
dfad3a00be test: test genrsa in deprecated builds
These tests were omitted when genrsa was deprecated but not returned when
it was restored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
3134fb284f errors: update error message (to be squashed)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
476798f22f rsa: check that the RNG is capable of producing a key of the specified size
During key generation, any sized key can be asked for.  Attempting to generate
a key with a security strength larger than the RNG strength now fails.

Fixes #15421

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:50 +10:00
Pauli
0c05fda40e rsa: remove the limit on the maximum key strength
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
2021-05-27 13:01:28 +10:00
Rich Salz
9d0dd1d513 Use "" for include crypto/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
2021-05-27 09:56:41 +10:00
Rich Salz
449bdf3746 Use "" for include internal/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
2021-05-27 09:56:41 +10:00
Rich Salz
6229815ab8 Use <> for #include openssl/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
2021-05-27 09:56:41 +10:00
Pauli
e475d9a443 rsa: rename global rsaz_ sumbols so they are in namespace
The symbols renamed are:

RSAZ_amm52x20_x1_256
RSAZ_amm52x20_x2_256
rsaz_avx512ifma_eligible
RSAZ_mod_exp_avx512_x2

Additionally, RSAZ_exp52x20_x2_256 was made static

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
2021-05-27 09:35:50 +10:00
Pauli
3675334e2b aes: rename new bsaes_ symbols -> ossl_bsaes_ ones
bsaes_cbc_encrypt -> ossl_bsaes_cbc_encrypt
bsaes_ctr32_encrypt_blocks -> ossl_bsaes_ctr32_encrypt_blocks
bsaes_xts_decrypt -> ossl_bsaes_xts_decrypt
bsaes_xts_encrypt -> ossl_bsaes_xts_encrypt

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
2021-05-27 09:35:50 +10:00
Pauli
190c029eab bn: rename extract_multiplier_2x20_win5 -> ossl_extract_multiplier_2x20_win5
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
2021-05-27 09:35:50 +10:00
Pauli
36ec749fda bn: rename bn_check_prime_int -> ossl_bn_check_primt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
2021-05-27 09:35:50 +10:00
Tomas Mraz
0800318a0c Deprecate old style BIO callback calls
New style BIO_debug_callback_ex() function added to provide
replacement for BIO_debug_callback().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15440)
2021-05-26 17:18:34 +02:00
Tianjia Zhang
022411112d apps: Fix the mismatch of SM2 keys keymgmt
The SM2 key has a separate keymgmt, which is independent of the
EC. The key generated by the subcommand ecparam is wrong. Using
'openssl ec -in sm2.key -noout -text' will also encounter some
errors.

When using the ecparam subcommand to generate the SM2 key, use
the correct keymgmt to solve this problem.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15454)
2021-05-26 16:57:40 +02:00
Richard Levitte
0e7e3b9b9d util/fix-doc-nits: Fix link detection in collectnames() to be kinder
The way the links were parsed out of the contents caused a regexp
recursion.  The easiest way to deal with it is to find all markup
using $markup_re, and then parsing out the L markups and add them to
the links array.

Fixes #15449

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15450)
2021-05-26 15:15:18 +02:00
Richard Levitte
7c499c7da9 TEST: Add test specific fipsmodule.cnf, and use it
We add the concept of preparation recipes, which are performed
unconditionally.  They are all expected to match the pattern
test/recipes/00-prep_*.t.

We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t,
which helps us generate a test specific fipsmodule.cnf, to be used by
all other tests.

Fixes #15166

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
2021-05-26 15:11:01 +02:00
Richard Levitte
f5657ce8e6 Build file templates: rework FIPS module installation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
2021-05-26 15:11:01 +02:00
Richard Levitte
6dd07a9328 Build file templates: rework how general dependencies are computed
For some types of targets, we pretty much know what kinds of files all
the dependencies are.  For some, however, we can't assume anything,
and are faced with dependencies in platform agnostic form.  We need to
find those in diverse places in %unified_info, and deduce from there
how they should be converted to a platform specific form.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
2021-05-26 15:11:01 +02:00
Richard Levitte
a2405c5f20 Rework how providers/fipsmodule.cnf is produced
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.

Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right.  What we really want is
to generate it as soon as a new providers/fips.so is produced.  That
required a small bit of fiddling with how diverse dependencies are
made.

Fixes #15166

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
2021-05-26 15:11:01 +02:00
Matt Caswell
bfd6b619b6 Ignore the threadstest_fips executable
Add a new executable that isn't caught by existing .gitignore rules

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15453)
2021-05-26 22:08:10 +10:00
Tomas Mraz
4d2d4b4bc1 OSSL_DECODER_from_bio: Report an unsupported error when there is none
When nothing was decoded and there is no error on the stack report
something.

Fixes #15442

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15441)
2021-05-26 13:04:38 +02:00
Tomas Mraz
05814be8d6 Add negative test cases for PEM_read_bio_PrivateKey
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15441)
2021-05-26 13:04:38 +02:00
Tomas Mraz
07f65429c3 Fix possible infinite loop in pem_read_bio_key_decoder()
There could be an infinite loop if no read happened.

Fixes #15426

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15441)
2021-05-26 13:04:38 +02:00
Pauli
b59b2f93a1 test: update RSA test with current bit strengths
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/15428)
2021-05-26 20:39:38 +10:00
Pauli
1cf520e9d0 rsa: special case the strengths of RSA with 7680 and 15360 bits
Also cap the strengths for values under these two because the formula
overestimates around them.

The formula NIST gives doesn't match the table also presented in IG 7.5

Partial fix for #15421

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/15428)
2021-05-26 20:39:38 +10:00