Commit Graph

28097 Commits

Author SHA1 Message Date
Dr. David von Oheimb
c926a5ecb7 X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14088)
2021-02-11 21:34:27 +01:00
Dr. David von Oheimb
f1923a2147 X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14130)
2021-02-11 20:25:27 +01:00
Dr. David von Oheimb
d1e85cdf79 x509_vfy.c: Make chain_build() error diagnostics to the point
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14094)
2021-02-11 20:08:41 +01:00
Tomas Mraz
283df0b84b Rename internal providercommonerr.h to less mouthful proverr.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
2021-02-11 09:34:31 +01:00
Tomas Mraz
f5f29796f0 Various cleanup of PROV_R_ reason codes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
2021-02-11 09:34:31 +01:00
Tomas Mraz
2741128e9d Move the PROV_R reason codes to a public header
The PROV_R codes can be returned to applications so it is useful
to have some common set of provider reason codes for the applications
or third party providers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
2021-02-11 09:34:31 +01:00
KOBAYASHI Ittoku
dc9ec65a01 Match description with actual output of dgst
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14089)
2021-02-11 10:19:21 +10:00
FdaSilvaYY
3a111aadc3 include/internal: add a few missing #pragma once directives
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)
2021-02-10 23:20:58 +01:00
FdaSilvaYY
d59068bd14 include/openssl: add a few missing #pragma once directives
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)
2021-02-10 23:20:57 +01:00
FdaSilvaYY
80ce21fe1a include/crypto: add a few missing #pragma once directives
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)
2021-02-10 23:20:57 +01:00
Pauli
835f3526a2 test: turn off parallel tests in verbose mode.
The existing code prints a warning saying that verbose mode is ignored with
parallel jobs.  This seems backward, more useful is disabling parallel jobs
when verbose is enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14137)
2021-02-11 08:16:29 +10:00
Oleksandr Tymoshenko
dfcfd17f28 Handle partial data re-sending on ktls/sendfile on FreeBSD
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13716)
2021-02-10 09:14:33 +00:00
Benjamin Kaduk
3bc0b621a7 Remove unused 'peer_type' from SSL_SESSION
This field has not been used since #3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13991)
2021-02-09 20:26:16 -08:00
Shane Lontis
af53092c2b Replace provider digest flags with separate param fields
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)
2021-02-10 12:31:31 +10:00
Shane Lontis
a054d15c22 Replace provider cipher flags with separate param fields
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)
2021-02-10 12:31:31 +10:00
Shane Lontis
36978c19a9 Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields.
Fixes #12992

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)
2021-02-10 12:31:31 +10:00
Shane Lontis
8a686bdb3a Change the ASN1 variant of x942kdf so that it can test acvp data.
This 'special' way of specifying the data should only be used for testing
purposes. It should not be used in production environments.
ACVP passes a blob of DER encoded data for some of the fields rather
than passing them as separate fields that need to be DER encoded.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14077)
2021-02-10 10:28:32 +10:00
Dr. David von Oheimb
7e365d51a1 x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error)
Also simplify first part of verify_chain()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14095)
2021-02-09 15:48:30 +01:00
Dr. David von Oheimb
364246a986 X509_get_pubkey_parameters(): Correct failure behavior and its use
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14095)
2021-02-09 15:48:30 +01:00
Dr. David von Oheimb
990a15fe73 x509_vfy: Clarify relevance of ctx->error also on successful verification
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)
2021-02-09 15:18:19 +01:00
Dr. David von Oheimb
579262af14 x509_vfy.c: Fix various coding style and documentation style nits
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)
2021-02-09 15:18:19 +01:00
Tomas Mraz
93b39c85c9 CHANGES.md: Mention RSA key generation slowdown related changes
Fixes #14068

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14073)
2021-02-09 13:45:04 +01:00
Tomas Mraz
4d2a6159db Deprecate BN_pseudo_rand() and BN_pseudo_rand_range()
The functions are obsolete aliases for BN_rand() and BN_rand_range()
since 1.1.0.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14080)
2021-02-09 13:41:11 +01:00
Petr Gotthard
604b86d8d3 Enhanced integer parsing in OSSL_PARAM_allocate_from_text
Fixes #14041 and additional bugs discovered by the newly created
tests.

This patch:
 - Introduces support for 0x prefixed integers
 - Fixes parsing of negative integers (negative numbers were
   shifted by -2)
 - Fixes ability to parse maximal unsigned numbers ("too small
   buffer" error used to be reported incorrectly)
 - Fixes a memory leak when OSSL_PARAM_allocate_from_text fails
   leaving a temporary BN allocated

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14093)
2021-02-09 11:15:55 +01:00
Richard Levitte
e60a748a13 Configuration: ensure that 'no-tests' works correctly
'no-tests' wasn't entirely respected when specifying subdirs in the
top build.info.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14082)
2021-02-09 17:05:06 +10:00
Randall S. Becker
3f71add9e5 Enable fipsload test on NonStop x86.
CLA: Trivial

Fixes: #14005

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14006)
2021-02-08 16:44:36 +01:00
Dr. David von Oheimb
50ccc176da mknum.pl: Exclude duplicate entries and include source file name in diagnostics
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14074)
2021-02-08 07:48:56 +01:00
Shane Lontis
2db985b7b1 Simplify the EVP_PKEY_XXX_fromdata_XX methods.
The existing names such as EVP_PKEY_param_fromdata_settable were a bit
confusing since the 'param' referred to key params not OSSL_PARAM. To simplify
the interface a 'selection' parameter will be passed instead. The
changes are:

(1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init().
(2) EVP_PKEY_fromdata() has an additional selection parameter.
(3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable().
    EVP_PKEY_fromdata_settable() also uses a selection parameter.

Fixes #12989

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14076)
2021-02-08 16:33:43 +10:00
Pauli
64954e2f34 Fix race condition & allow operation cache to grow.
This fixes a race condition where the index to the cache location was found
under a read lock and a later write lock set the cache entry.  The issue being
that two threads could get the same location index and then fight each other
over writing the cache entry.  The most likely outcome is a memory leak,
however it would be possible to set up an invalid cache entry.

The operation cache was a fixed sized array, once full an assertion failed.
The other fix here is to convert this to a stack.  The code is simplified and
it avoids a cache overflow condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14062)
2021-02-07 20:01:50 +10:00
Dr. David von Oheimb
11ddbf8459 Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14021)
2021-02-06 18:53:51 +01:00
Richard Levitte
2bb05a9668 PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID
All {MD}WithRSAEncryption signature AlgorithmID have the parameters
being NULL, according to PKCS#1.  We didn't.  Now corrected.

This bug was the topic of this thread on openssl-users@openssl.org:
https://mta.openssl.org/pipermail/openssl-users/2021-January/013416.html

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14030)
2021-02-05 16:53:30 +01:00
Matt Caswell
5682e77dff Fix the cipher_overhead_test
Now that libssl no longer has any OPENSSL_NO_ALG guards the internal
cipher_overhead_test wasn't quite handling disabled ciphers correctly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:43 +00:00
Matt Caswell
e376242d28 Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg
We should no longer be relying on compile time checks in libssl for
the availability of crypto algorithms. The availability of crypto
algorithms should be determined at runtime based on what providers have
been loaded.

Fixes #13616

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:43 +00:00
Matt Caswell
462f4f4bc0 Remove OPENSSL_NO_EC guards from libssl
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:43 +00:00
Matt Caswell
54e3efff81 Make sure we don't use sigalgs that are not available
We may have compiled in sigalg values that we can't support at runtime.
Make sure we only use sigalgs that are actually enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:42 +00:00
Matt Caswell
306b8e7e19 Add the nist group names as aliases for the normal TLS group names
By recognising the nist group names directly we can avoid having to call
EC_curve_nist2nid in libssl, which is not available in a no-ec build.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:42 +00:00
Matt Caswell
3de751e7f0 Remove compile time guard checking from ssl3_get_req_cert_type
With 3.0 we need to know whether algs are available at run time not
at compile time. Actually the code as written is sufficient to do this,
so we can simply remove the guards.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:42 +00:00
Matt Caswell
05b4b85d4b Check for availability of ciphersuites at run time
In 1.1.1 and below we would check for the availability of certain
algorithms based on compile time guards. However with 3.0 this is no
longer sufficient. Some algorithms that are unavailable at compile time
may become available later if 3rd party providers are loaded. Similarly,
algorithms that exist in our built-in providers at compile time may not
be available at run time if those providers are not loaded.

Fixes #13184

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:42 +00:00
Matt Caswell
a763ca1177 Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.

Fixes #13767

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:22:40 +00:00
Matt Caswell
8b1db5d329 Make supported_groups code independent of EC and DH
The supported groups code was checking the OPENSSL_NO_EC and
OPENSSL_NO_DH guards in order to work, and the list of default groups was
based on those guards. However we now need it to work even in a no-ec
and no-dh build, because new groups might be added from providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:20:37 +00:00
Matt Caswell
ddf8f1ce63 Ensure default supported groups works even with no-ec and no-dh
The default supported groups code was disabled in the event of a build
with no-ec and no-dh. However now that providers can add there own
groups (which might not fit into either of these categories), this is
no longer appropriate.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:20:36 +00:00
Matt Caswell
5b64ce89b0 Remove OPENSSL_NO_DH guards from libssl
This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that
libssl is entirely using the EVP APIs and implementations can be plugged
in via providers it is no longer needed to disable DH at compile time in
libssl. Instead it should detect at runtime whether DH is available from
the loaded providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-05 15:20:36 +00:00
Richard Levitte
9ca08f91e9 Makefile template: Allow separate generation of .pod.in -> .pod
We do this by adding the attribute 'pod' to all .pod.in -> .pod
generations, like this:

    DEPEND[NAME.pod]{pod}=NAME.pod.in,

...  and selecting out the target files for those dependencies into a
dedicated target 'build_generated_pods', which the 'doc-nits' and
'cmd-nits' make targets are made to depend on.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14067)
2021-02-05 15:51:31 +01:00
Richard Levitte
b8393eae22 DOCS: Remove the "global" dependency on writing .pod files from .pod.in
The dependency was made in such a way that .pod.in -> .pod generation
would always be done, no matter what.  This changes the procedure so
that the generation is made "on demand", i.e. when the resulting .pod
files are needed.

This turned out to be duplicated dependencies, as the .pod -> .pod.in
dependencies were already in place.  Just removing the duplicate fixes
the situation.

'make build_all_generated' still works, for those who do want to have
all file generations performed.  (as a reminder, this is suitable to
generate the files a fast system and then copy the result to a slower
system, or system where there's no perl)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14067)
2021-02-05 15:51:31 +01:00
Richard Levitte
388eb0d970 TEST: Add an algorithm ID tester for libcrypto vs provider
Providers produce algorithm IDs of their own, and we need to compare
them against the same thing produced by libcrypto's ASN.1 code and
with legacy keys.

This tester can compare algorithm IDs for signatures and for keys,
given certificates that hold such data.

To verify key algorithm IDs, only one certificate is necessary, and
its public key is used.

To verify certificate algorithm IDs, we need to launch the signature
operation that would verify a certificate against the public key of
its signing CA, so that test needs two files.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14049)
2021-02-05 15:44:39 +01:00
Richard Levitte
93d6132a79 EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters()
We used evp_pkey_downgrade() on 'from', which permanently converts 'from'
to have a legacy internal key.  Now that we have evp_pkey_copy_downgraded(),
it's better to use that (and thereby restore the constness contract).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13341)
2021-02-05 14:16:17 +01:00
Richard Levitte
93bae03abf dev/release.sh: Fix typo
tagley -> tagkey

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14061)
2021-02-05 14:13:52 +01:00
Richard Levitte
1e3affbbcd Remove the old DEPRECATEDIN macros
They serve no purpose any more

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13461)
2021-02-05 14:10:53 +01:00
Richard Levitte
e337b82410 ERR: Rebuild all generated error headers and source files
This is the result of 'make errors ERROR_REBUILD=-rebuild'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13392)
2021-02-05 14:09:16 +01:00
Richard Levitte
b14c8465c0 ERR: clean away everything related to _F_ macros from util/mkerr.pl
Instead, we preserve all the pre-3.0 _F_ macros in the backward
compatibility headers include/openssl/cryptoerr_legacy.h and
include/openssl/sslerr_legacy.h

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13392)
2021-02-05 14:09:16 +01:00