2
0
mirror of https://github.com/openssl/openssl.git synced 2025-01-06 13:26:43 +08:00
Commit Graph

11962 Commits

Author SHA1 Message Date
Matt Caswell
dd73147420 Fix safestack issues in bio.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
1e14bca233 Fix safestack issues in ess.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
0b28254015 Fix safestack issues in asn1t.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
9d01ac71a0 Fix safestack issues in ct.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
98c35dc48d Fix safestack issues in crmf.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
c5a5581127 Fix safestack issues in x509_vfy.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
22fbfe6a7d Fix safestack issues in srp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
02199cc39d Fix safestack issues in pkcs7.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
fd3ed85c67 Fix safestack issues in ocsp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
904e1f92b3 Fix safestack issues in cms.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
798f932980 Fix safestack issues in cmp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:40 +01:00
Matt Caswell
b4780134df Fix safestack issues in asn1.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:40 +01:00
Matt Caswell
24c4ea958e Fix stacks of OPENSSL_STRING, OPENSSL_CSTRING and OPENSSL_BLOCK
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:39 +01:00
Matt Caswell
e144fd36ce Fix safestack issues in x509v3.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Matt Caswell
e6623cfbff Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Randall S. Becker
08073700cc NonStop port updates for 3.0.0.
HPE NonStop Port Changes for 3.0.0  Includes unthreaded, PUT, and SPT for OSS.

The port changes include wrapping where necessary for FLOSS and
appropriate configuration changes to support that. Two tests
are excluded as being inappropriate for the platform.

The changes are:
* Added /usr/local/include to nonstop-nsx_spt_floss to load floss.h
* Added SPT Floss variant for NonStop
* Wrapped FLOSS definitions in OPENSSL_TANDEM_FLOSS to allow selective enablement.
* SPT build configuration for NonStop
* Skip tests not relevant for NonStop
* PUT configuration changes required for NonStop platforms
* Configurations/50-nonstop.conf: updates for TNS/X platform.
* FLOSS instrumentation for HPE NonStop TNS/X and TNS/E platforms.
* Configurations/50-nonstop.conf: modifications for non-PUT TNS/E platform b
* Fix use of DELAY in ssltestlib.c for HPNS.
* Fixed commit merge issues and added floss to http_server.c

CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes .

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12800)
2020-09-12 20:32:11 +02:00
Richard Levitte
655f73cecf EVP: Add the internal convenience function evp_keymgmt_util_export()
This is purely to allow exporting without having to repeatedly specify
the keymgmt and keydata from the EVP_PKEY.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:52 +02:00
Richard Levitte
7229a2f4ab EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers
Fixes 

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:22 +02:00
Shane Lontis
35e6ea3bdc keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Pauli
5736923f12 FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
2020-09-12 16:46:51 +10:00
Shane Lontis
97f7a6d42e Fix coverity issue: CID 1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
9951eaf467 Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
0f0b7dfbe5 Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:24 +10:00
Shane Lontis
6e417f951c Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:23 +10:00
Shane Lontis
3481694946 Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE
Note that although this is a false positive currently, it could become possible if any of the methods called
change behaviour - so it is safer to add the fix than to ignore it. Added a simple test so that I could prove this was the case.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
2020-09-12 15:57:23 +10:00
Richard Levitte
c1aba0763c OSSL_DECODER 'decode' function must never be NULL.
The conditions for a valid implementation allowed the 'decode'
function to be NULL or the 'export_object' was NULL.  That condition
is changed so that 'decode' is checked to be non-NULL by itself.

Fixes 

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12849)
2020-09-12 03:53:32 +02:00
Dr. David von Oheimb
82bdd64193 check_chain_extensions(): Require X.509 v3 if extensions are present
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:43:52 +02:00
Dr. David von Oheimb
e41a2c4c60 check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:43:34 +02:00
Dr. David von Oheimb
d72c8b457b x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:23 +02:00
Dr. David von Oheimb
bb377c8d6c check_chain_extensions(): Add check that CA cert includes key usage extension
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
da6c691d6d check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
89f13ca434 check_chain_extensions(): Add check that AKID and SKID are not marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
8a639b9d72 check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
1e41dadfa7 Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
2020-09-11 07:42:22 +02:00
Dr. David von Oheimb
d3dbc9b500 apps_ui.c: Correct password prompt for ui_method
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
2020-09-10 22:01:07 +02:00
Richard Levitte
9f604ca13d STORE: Fix OSSL_STORE_attach() to check |ui_method| before use
ossl_pw_set_ui_method() demands that the passed |ui_method| be
non-NULL, and OSSL_STORE_attach() didn't check it beforehand.

While we're at it, we remove the passphrase caching that's set at the
library level, and trust the implementations to deal with that on
their own as needed.

Fixes 

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12831)
2020-09-10 13:39:30 +02:00
Dr. David von Oheimb
bc64c5a69b X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
2aa91df406 X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Matt Caswell
3101ab603c Fix an EVP_MD_CTX leak
If we initialise an EVP_MD_CTX with a legacy MD, and then reuse the same
EVP_MD_CTX with a provided MD then we end up leaking the md_data.

We need to ensure we free the md_data if we change to a provided MD.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12779)
2020-09-10 11:35:42 +02:00
Richard Levitte
b830e00429 Diverse build.info: Adjust paths
Fixes 

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12816)
2020-09-10 09:50:56 +02:00
Dr. David von Oheimb
bb30bce22b bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
543a802fab bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
6199478101 bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
a0745e2be6 Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store
  while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
2020-09-10 07:07:55 +02:00
Richard Levitte
8ae40cf57d ENCODER: Refactor provider implementations, and some cleanup
The encoder implementations were implemented by unnecessarily copying
code into numerous topical source files, making them hard to maintain.
This changes merges all those into two source files, one that encodes
into DER and PEM, the other to text.

Diverse small cleanups are included.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12803)
2020-09-09 16:35:22 +02:00
Pauli
e942111267 In a non-shared build, don't include the md5 object files in legacy provider
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
2020-09-09 17:59:08 +10:00
Pauli
81661a14bc legacy: include MD5 code in legacy provider
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
2020-09-09 17:59:08 +10:00
Dr. David von Oheimb
b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12806)
2020-09-08 23:24:42 +02:00
Dr. David von Oheimb
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12807)
2020-09-08 23:22:29 +02:00
Richard Levitte
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys
PEM_write_bio_PrivateKey_traditional() didn't handle provider-native
keys very well.  Originally, it would simply use the corresponding
encoder, which is likely to output modern PEM (not "traditional").

PEM_write_bio_PrivateKey_traditional() is now changed to try and get a
legacy copy of the input EVP_PKEY, and use that copy for traditional
output, if it has such support.

Internally, evp_pkey_copy_downgraded() is added, to be used when
evp_pkey_downgrade() is too intrusive for what it's needed for.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12738)
2020-09-08 16:45:11 +02:00