Commit Graph

26276 Commits

Author SHA1 Message Date
Vadim Fedorenko
996a6ac32b kTLS: make ktls_start type independed
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)
2020-06-08 11:13:52 +01:00
Hubert Kario
c8636ebf4a fix doc typo in bn_dh.c
while RFC 2312 refers to S/MIME it doesn't actually declare any groups,
RFC 2412 actually talks about DH extensively and the group
defined in the code below is defined on page 47 of it

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12076)
2020-06-08 11:27:34 +03:00
Dr. David von Oheimb
71273ab57a Fix 90-test_store.t for latest config, limits, providers, and disabled algos
Also make sure that the test do not 'pass' if their initialization fails.
Leave out the expensive parts of DSA key gen and RSA keygen for efficiency.
Fix use of the new CA configuration file test/ca-and-certs.cnf.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)
2020-06-08 05:39:16 +02:00
Dr. David von Oheimb
49f84002d0 Fix documentation of OSSL_STORE
Among others, make clear that OSSL_STORE_close() meanwhile does nothing on NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)
2020-06-08 05:38:05 +02:00
Dr. David von Oheimb
c29ba6a92e Fix mem leaks and allow missing pkey and/or cert in try_decode_PKCS12()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)
2020-06-08 05:37:48 +02:00
Dr. David von Oheimb
4ca015555b Add chain to PKCS#12 test file generation in 90-test_store.t
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)
2020-06-08 05:37:47 +02:00
Dr. David von Oheimb
9f5ff440b8 Fix code layout in crypto/store/loader_file.c satisfying check-format.pl -l
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)
2020-06-08 05:37:47 +02:00
Richard Levitte
c4683009ad TEST: Adjust test/bioprinttest.c to behave like the testutil routines
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12057)
2020-06-06 19:18:30 +02:00
Richard Levitte
66d8bd4b37 TESTUTIL: Adjust the rest of testutil
Fixes #12054

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12057)
2020-06-06 19:18:30 +02:00
Richard Levitte
8dce4aa2d9 TESTUTIL: Separate TAP output and other output by BIO filter
Output that's supposed to be understood by a TAP parser gets its own
BIOs (|tap_out| and |tap_err|), and is only used internally within
testutils.  |bio_out| and |bio_err| is now only used for output that
shouldn't be parsed by the TAP parser, and all output written to those
BIOs are therefore always made to look like comments (it gets prefixed
with "# ").

Indentation and prefixing with "# " is reworked to use BIO_f_prefix(),
which allows us to throw away the internal BIO_f_tap().

The indentation level is now adjusted via a special function.

Fixes #12054

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12057)
2020-06-06 19:18:30 +02:00
Dr. David von Oheimb
591315297e Consolidate doc of BIO_do_connect() and its alias BIO_do_handshake()
Also documents that they meanwhile try all IP addresses resolved for a given domain name

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12017)
2020-06-06 11:24:23 +02:00
Richard Levitte
f5e23fe889 APPS: Remove unnecessary NULL check of uri in load_cert_pass()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11873)
2020-06-06 10:34:16 +02:00
Richard Levitte
0808a75e4d APPS: Make it possible to load_cert() from stdin again
Fixes #11871

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11873)
2020-06-06 10:34:16 +02:00
Benjamin Kaduk
09527c4935 Fix a typo in SSL_CTX_set_session_ticket_cb.pod
"SSL" takes two esses, not three.

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12038)
2020-06-05 17:11:10 -07:00
Matt Caswell
7b2d995ed7 Don't downgrade keys in libssl
We were downgrading to legacy keys at various points in libssl in
order to get or set an encoded point. Now that the encoded point
functions work with provided keys this is no longer necessary.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11898)
2020-06-05 11:04:11 +01:00
Matt Caswell
7fa2b2673e When asked if an ECX key has parameters we should answer "true"
An ECX key doesn't have any parameters associated with it. Therefore it
always has all the parameters it needs, and the "has" function should
return 1 if asked about parameters. Without this
EVP_PKEY_missing_parameters() fails for ECX keys.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11898)
2020-06-05 11:04:11 +01:00
Matt Caswell
11391da217 Always create a key when importing
Even if there is no data to import we should still create an empty key.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11898)
2020-06-05 11:04:11 +01:00
Matt Caswell
6a9bd9298b Make EVP_PKEY_[get1|set1]_tls_encodedpoint work with provided keys
EVP_PKEY_[get1|set1]_tls_encodedpoint() only worked if an ameth was present
which isn't the case for provided keys. Support has been added to dh,
ec and ecx keys.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11898)
2020-06-05 11:04:11 +01:00
Matt Caswell
0d52ede716 Fix error path in int create_ssl_ctx_pair()
If we hit the error path and create_ssl_ctx_pair has been passed a
pre-created SSL_CTX then we could end up with a double free.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:58 +01:00
Matt Caswell
b38425393c Implement a test for sigalgs not being present
If sigalgs are not present we should not offer or accept them. We should
test that we handle this correctly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:58 +01:00
Matt Caswell
3cd69b7458 Implement a Filtering Provider
The filtering provider can be used to place a filter in front of the
default provider. Initially to filter out certain algorithms from being
available for test purposes.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:58 +01:00
Matt Caswell
d01d375264 Implement OSSL_PROVIDER_get0_provider_ctx()
Implement a function which enables us to get hold of the provider ctx
for a loaded provider.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:46 +01:00
Matt Caswell
5f603a280c Enable applications to directly call a provider's query operation
This is useful to get hold of the low-level dispatch tables. This could
be used to create a new provider based on an existing one.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:06 +01:00
Matt Caswell
263ff2c9d4 Check that Signature Algorithms are available before using them
We should confirm that Signature Algorithms are actually available
through the loaded providers before we offer or select them.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
2020-06-05 10:31:06 +01:00
Richard Levitte
eca4713913 APPS: Drop interactive mode in the 'openssl' program
This mode is severely untested and unmaintained, is seems not to be
used very much.

Closes #4679
Closes #6292

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12023)
2020-06-05 10:01:33 +02:00
Dr. David von Oheimb
987e3a0eed Announce renamed EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters() in CHANGES.md
This is a follow-up of PR #12013.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12026)
2020-06-05 09:09:29 +02:00
Pauli
b1c21b27dc fips: add additional algorithms to the FIPS provider.
Discussions are ongoing but the OMC has approved the in-principle addition
of these algorithms to the upcoming FIPS validation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12020)
2020-06-05 09:20:20 +10:00
Jaimee Brown
a64a143f31 Minor doc fix for EVP_PKEY_CTX_new_from_pkey
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12021)
2020-06-05 09:18:36 +10:00
Kurt Roeckx
6985b0e3de Add github sponsor button
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #12035
2020-06-04 21:04:13 +02:00
Nicola Tuveri
00da0f6989 [crypto/ec] Remove unreachable AVX2 code in NISTZ256 implementation
`crypto/ec/ecp_nistz256.c` contained code sections guarded by a
`ECP_NISTZ256_AVX2` define.

The relevant comment read:

> /*
>  * Note that by default ECP_NISTZ256_AVX2 is undefined. While it's great
>  * code processing 4 points in parallel, corresponding serial operation
>  * is several times slower, because it uses 29x29=58-bit multiplication
>  * as opposite to 64x64=128-bit in integer-only scalar case. As result
>  * it doesn't provide *significant* performance improvement. Note that
>  * just defining ECP_NISTZ256_AVX2 is not sufficient to make it work,
>  * you'd need to compile even asm/ecp_nistz256-avx.pl module.
>  */

Without diminishing the quality of the original submission, it's evident
that this code has been basically unreachable without modifications to
the library source code and is under-tested.

This commit removes these sections from the codebase.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12019)
2020-06-04 18:35:28 +03:00
Otto Hollmann
c1fd005bfc Add cipher list ciphersuites which using encryption algorithm in mode CBC.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11984)
2020-06-04 17:45:00 +03:00
Richard Levitte
c8567c392c CORE: make sure activated fallback providers stay activated
Calling 'OSSL_PROVIDER_available(NULL, "default")' would search for
the "default" provider, and in doing so, activate it if necessary,
thereby detecting that it's available...  and then immediately free
it, which could deactivate that provider, even though it should stay
available.

We solve this by incrementing the refcount for activated fallbacks one
extra time, thereby simulating an explicit OSSL_PROVIDER_load(), and
compensate for it with an extra ossl_provider_free() when emptying the
provider store.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11926)
2020-06-04 16:42:45 +02:00
Richard Levitte
f995e5bdcd TEST: Add provider_fallback_test, to test aspects of fallback providers
There are cases where the fallback providers aren't treated right.
For example, the following calls, in that order, will end up with
a failed EVP_KEYMGMT_fetch(), even thought the default provider
does supply an implementation of the "RSA" keytype.

    EVP_KEYMGMT *rsameth = NULL;

    OSSL_PROVIDER_available(NULL, "default");
    rsameth = EVP_KEYMGMT_fetch(NULL, "RSA", NULL);

For good measure, this also tests that explicit loading of the default
provider won't fail.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11926)
2020-06-04 16:42:45 +02:00
Aaron Thompson
4cbb196b1b Fix missed fields in EVP_PKEY_meth_copy.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11514)
2020-06-04 17:39:51 +03:00
Matt Caswell
c2db6839e4 Prepare for 3.0 alpha 4
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-06-04 14:58:20 +01:00
Matt Caswell
3952c5a312 Prepare for release of 3.0 alpha 3
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-06-04 14:56:40 +01:00
Matt Caswell
00c405b365 Update copyright year
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12043)
2020-06-04 14:33:57 +01:00
Pauli
19d15f97b3 ossl_shim: const cast the param arguments to avoid errors
[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12022)
2020-06-03 21:17:18 +10:00
Bernd Edlinger
42fa3e6669 Fix a buffer overflow in drbg_ctr_generate
This can happen if the 32-bit counter overflows
and the last block is not a multiple of 16 bytes.

Fixes #12012

[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12016)
2020-06-03 13:15:36 +02:00
Rich Salz
2b584ff372 Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
2020-06-03 09:57:02 +02:00
Rich Salz
4e6e57cfcd Cleanup cert config files for tests
Merge test/P[12]ss.cnf into one config file
Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf
Remove Netscape cert extensions, add keyUsage comment from some cnf files

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
2020-06-03 09:56:56 +02:00
Pauli
5c01a133ec ossl_shim: include core_names.h to resolve undeclared symbols
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12018)
2020-06-03 10:41:02 +10:00
Richard Levitte
29c49b2534 TEST: Test i2d_PKCS8PrivateKey_bio() and PEM_write_bio_PKCS8PrivateKey()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11855)
2020-06-02 20:00:25 +02:00
Richard Levitte
eb2bba2569 PEM: Make PKCS8 serializers aware of OSSL_SERIALIZERs
PEM_write_bio_PKCS8PrivateKey(), i2d_PKCS8PrivateKey_bio(),
PEM_write_PKCS8PrivateKey(), and i2d_PKCS8PrivateKey_fp() are affected
by this.

Fixes #11845

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11855)
2020-06-02 20:00:25 +02:00
Jack O'Connor
a5a87011ba fix a docs typo
Correct "EC_KEY_point2buf" to "EC_POINT_point2buf". The former does not exist.

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11988)
2020-06-02 13:01:56 +02:00
Bernd Edlinger
d805b83166 Prevent extended tests run unexpectedly in appveyor
Reason turns out that "git log -2" is picking up a merge
commit and a random commit message from the master branch.

Restore the expected behavior by using
git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11981)
2020-06-02 11:34:32 +02:00
Billy Brumley
23ccae80bd Move EC_METHOD to internal-only
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11928)
2020-06-02 11:17:24 +03:00
Richard Levitte
e306f83c8c APPS: Remove make_config_name, use CONF_get1_default_config_file instead
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11983)
2020-06-02 09:42:34 +02:00
Bernd Edlinger
32df13497a Remove getenv(OPENSSL_FIPS) in openssl command
This is left over from the past.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11995)
2020-06-01 22:52:06 +02:00
Bernd Edlinger
41dccd68b9 Revert the check for NaN in %f format
Unfortunately -Ofast seems to break that check.

Fixes #11994

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12003)
2020-06-01 18:20:28 +02:00