Commit Graph

28539 Commits

Author SHA1 Message Date
Tomas Mraz
0be6cf0c7e Remove some of the TODO 3.0 in crypto/evp related to legacy support.
The legacy support stays in 3.0. The TODOs are dropped.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)
2021-03-04 14:15:01 +01:00
Tomas Mraz
bffe3ae7b8 crypto/param_build_set.c: Remove irrelevant TODO 3.0
The OSSL_PARAM_set_BN() pads to data_size so there is no
need for OSSL_PARAM_set_BN_pad().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)
2021-03-04 14:15:01 +01:00
Tomas Mraz
f40fa7b9ad crypto/ppccap.c: Remove useless TODO 3.0
The chacha and poly1305 algorithms are not FIPS approved so
they should stay out of FIPS module.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)
2021-03-04 14:15:01 +01:00
Tomas Mraz
946bdd12a0 include/crypto: Remove TODOs that are irrelevant for 3.0
The legacy support will not be removed in 3.0. Remove the
related TODO 3.0 marks.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)
2021-03-04 14:15:01 +01:00
Tomas Mraz
9522f0a6a9 include/internal: Remove TODOs that are irrelevant for 3.0
The sha3 and sm3 legacy support requires these headers.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14404)
2021-03-04 14:15:01 +01:00
Tomas Mraz
2c8a740a9f test/x509: Test for issuer being overwritten when printing.
The regression from commit 05458fd was fixed, but there is
no test for that regression. This adds it simply by having
a certificate that we compare for -text output having
a different subject and issuer.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14353)
2021-03-04 12:15:37 +01:00
Dr. David von Oheimb
39a61e69b8 OSSL_STORE: restore diagnostics on decrypt error; provide password hints
Fixes #13493

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13525)
2021-03-04 08:54:09 +01:00
Tobias Nießen
e3a2ba7547 crypto: rename error flags in internal structures
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14405)
2021-03-04 10:17:20 +10:00
Richard Levitte
33ac7b324b Add a new test recipe to verify the generated test fipsmodule.cnf
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:43 +01:00
Richard Levitte
c9b0214ede Fix the perl code to get FIPSMODULENAME
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:43 +01:00
Richard Levitte
e25b4db754 TEST: Remove the build of fipsmodule.cnf from test recipes
The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:43 +01:00
Richard Levitte
e9d74dbd36 APPS: Modify 'fipsinstall' to output all notifications on stderr
The actual output of the 'fipsinstall' is the config file it outputs.
It should be possible to output that to standard output, and diverse
notification messages shouldn't be mixed in.  Therefore, we output
them to standard error instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:43 +01:00
Richard Levitte
05869bba7f Make 'tests' depend on a generated 'providers/fipsmodule.cnf'
providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with
the openssl program in the build directory.

Fixes #14315

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:43 +01:00
Richard Levitte
79f47ef507 build.info: Make it possible to use compiled programs as generators
Our goal is to be able to produce fipsmodule.cnf with the help of
'openssl fipsinstall', using the openssl program that we build.

This refactors the generatesrc code in all the build file templates to
replace $generator and $generator_incs with $gen0, $gen_args and $gen_incs,
which makes it easier and more consistent to manipulate different bits
of the generator command, and also keeps the variable names consistent
while not overly long.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:01 +01:00
Richard Levitte
3f399e3787 build.info: Add the possibility to add dependencies on raw targets
We need to add something for the 'tests' target to depend on, so a
special syntax for those is introduced:

    DEPEND[|tests|]=fipsmodule.cnf

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
2021-03-03 14:47:01 +01:00
Richard Levitte
8593ff00cc DOCS: Fix provider-mac.pod and the docs of our implementations
The idea being that doc/man7/provider-mac.pod is for provider authors,
while provider users find the documentation for each implementation in
doc/man7/EVP_MAC-*.pod, the documentation of parameters wasn't quite
aligned.  This change re-arranges the parameter documentation to be
more aligned with this idea.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14380)
2021-03-03 14:08:00 +01:00
Pauli
cb54d1b9d7 doc: add a note to the RAND_get0_ calls indicating how to set the DRBG type.
The type needs to be set before the DRBGs are created.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14386)
2021-03-03 22:03:26 +10:00
Tomas Mraz
f21afe6360 ossl_rsa_sp800_56b_check_public: Be more lenient with small keys
Fixes #13995

For small keys the MR test on the modulus can return
BN_PRIMETEST_COMPOSITE_WITH_FACTOR status although the modulus
is correct.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14389)
2021-03-03 12:53:19 +01:00
Pauli
87994aa847 rand: remove FIPS mode conditional code.
The FIPS provider no longer has seeding sources inside the boundary, the
related conditional code can therefore be removed.

Fixes #14358

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14382)
2021-03-03 21:22:06 +10:00
Tomas Mraz
fb67126ea8 EVP_PKEY_CTX_get/settable_params: pass provider operation context
This allows making the signature operations return different
settable params when the context is initialized with
EVP_DigestSign/VerifyInit.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14338)
2021-03-03 11:25:39 +01:00
Shane Lontis
4e4ae84056 Fix NULL access in ssl_build_cert_chain() when ctx is NULL.
Fixes #14294

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14295)
2021-03-03 16:16:19 +10:00
Tomas Mraz
81f9af3460 Remove todos in decode_der2key.c and decode_ms2key.c
Those TODOs do not really apply to 3.0 as the legacy internal
keys will stay.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
77b03f0e8f Improve error reporting in key exchange provider implementations
Added some error reporting in dh_exch.c and unified error reporting
with it in other key exchange methods.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
f5c629a00a Remove unused MAX_TLS_MAC_SIZE define
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
fffb67343e Remove todos in providers/implementations/include/prov
Those TODOs are not relevant anymore as the headers
are now in providers.

Also make the header guard defines better reflect the
header placement.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
8d05a65256 Resolve TODOs in signature implementations.
The DER writing errors can be ignored safely.

Document that the EVP_MAX_MD_SIZE is a hardcoded limit
for digest sizes.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
f378755d62 statem_lib.c: Remove TODOs that are unnecessary
If the EVP_MD_CTX_ctrl is deprecated the code will
generate deprecation warnings. So there is no point in marking
all EVP_MD_CTX_ctrl() calls with TODOs.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
5e2f580d4a test_ssl_new: X448, X25519, and EdDSA are supported with fips
Removed the related TODOs.

Also adjusted the DH parameters used for the DH test to be acceptable
for FIPS as that now allows only known safe prime parameters.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
21b7dfa8ad evp_extra_test2: Remove TODO 3.0
The TODO marks optional cleanup that can be done any time in future.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Tomas Mraz
b3c155b83c evp_extra_test: Remove TODO comment as setting the curve is mandatory
Even with the SM2 algorithm the curve is needed for the paramgen.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14367)
2021-03-03 10:00:21 +10:00
Matt Caswell
d36a5dd05e Fix a copy&paste error in evp_extra_test
test_EC_priv_pub fails to test the case where both a private and public
key have been supplied.

Fixes #14349

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14351)
2021-03-02 14:58:40 +00:00
Fangming.Fang
d7d8e2c894 Fix compiling error on arm
Fixes #14313

Change-Id: I0dc9dd475a1ed1331738355fbbec0c51fbcb37f1

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14346)
2021-03-02 21:25:00 +10:00
Dr. David von Oheimb
025c0f5289 openssl-cmp.pod.in: replace the term 'verify' by the more correct 'validate'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14018)
2021-03-02 11:05:34 +01:00
Dr. David von Oheimb
dd5fa5f5af CMP: On NULL-DN subject or issuer input omit field in cert template
Also improve diagnostics on inconsistent cert request input in apps/cmp.c,
add trace output for transactionIDs on new sessions,
and update the documentation in openssl-cmp.pod.in.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14018)
2021-03-02 11:05:34 +01:00
Pauli
e1f946630f test: use the new set public and private together call
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14341)
2021-03-02 13:23:17 +10:00
Pauli
740582cfaf test: add utility function to set the fake random callback on both the public and private instances
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14341)
2021-03-02 13:23:17 +10:00
Pauli
fccdb61aee test: update ECDSA and SM2 internal tests in line with the fake_random change
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14341)
2021-03-02 13:23:17 +10:00
Pauli
5a11de50a4 test: update test_random to create real contexts instead of sharing one
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14341)
2021-03-02 13:23:17 +10:00
Richard Levitte
0647162f6a make update
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14352)
2021-03-01 13:39:43 +01:00
UndefBehavior
bed963d58d Fix build of /dev/crypto engine with no-dynamic-engine option
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14329)
2021-03-01 12:02:42 +01:00
Rich Salz
b0aae91324 Remove RSA SSLv23 padding mode
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14248)
2021-03-01 10:56:12 +01:00
Dr. David von Oheimb
d546e8e267 Generalize schmeme parsing of OSSL_HTTP_parse_url() to OSSL_parse_url()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14009)
2021-03-01 10:30:43 +01:00
Dr. David von Oheimb
7932982b88 OSSL_HTTP_parse_url(): Handle any userinfo, query, and fragment components
Now handle [http[s]://][userinfo@]host[:port][/path][?query][#frag]
by optionally providing any userinfo, query, and frag components.

All usages of this function, which are client-only,
silently ignore userinfo and frag components,
while the query component is taken as part of the path.
Update and extend the unit tests and all affected documentation.
Document and deprecat OCSP_parse_url().

Fixes an issue that came up when discussing FR #14001.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14009)
2021-03-01 10:30:43 +01:00
Dr. David von Oheimb
e60e974414 apps/x509.c: Fix mem leaks in processing of -next_serial in print loop
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14340)
2021-02-28 11:46:34 +01:00
Dr. David von Oheimb
46a11faf3b apps/x509.c: Improve print_name() and coding style of large print loop in x509_main()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14340)
2021-02-28 11:46:34 +01:00
Dr. David von Oheimb
859e5f1621 apps/x509.c: Improve indentation of the large print loop in x509_main()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14340)
2021-02-28 11:46:34 +01:00
Dr. David von Oheimb
ed0a5ac920 apps/x509.c: Fix too eager call to X509_set_issuer_name() introduced recently
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14340)
2021-02-28 11:46:34 +01:00
Pauli
d5a936c5b1 rand: use params argument on instantiate call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)
2021-02-28 17:25:49 +10:00
Pauli
dbf299f73d core: add params argument to DRBG instantiate call
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)
2021-02-28 17:25:49 +10:00
Pauli
f8a5822cff doc: update documenation with params argument on DRBG instantiate calls
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)
2021-02-28 17:25:49 +10:00