Commit Graph

30555 Commits

Author SHA1 Message Date
Martin Schwenke
e67edf60f2 perlasm/ppc-xlate.pl: Fix build on OS X
vsr2vr1() fails on OS X because the main loop doesn't strip the
non-numeric register prefixes for OS X.

Strip any non-numeric prefix (likely just "v") from registers before
doing numeric calculation, then put the prefix back on the result.

Fixes: #16995

Signed-off-by: Martin Schwenke <martin@meltin.net>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17026)
2021-11-18 13:24:17 +01:00
Dr. David von Oheimb
af16097feb Move more general parts of internal/cryptlib.h to new internal/common.h
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
2021-11-17 15:48:37 +01:00
Dr. David von Oheimb
747adb6a01 Add and use HAS_CASE_PREFIX(), CHECK_AND_SKIP_CASE_PREFIX(), and HAS_CASE_SUFFIX()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
2021-11-17 15:48:37 +01:00
Dr. David von Oheimb
2ff286c26c Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
2021-11-17 15:48:34 +01:00
Dr. David von Oheimb
a6838c8d52 80-test_cmp_http: Make server diagnostics more verbose to aid debugging
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
2021-11-17 12:43:17 +01:00
Dr. David von Oheimb
ae8ff109c1 cmp_server.c: Log received request type before checking details
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
2021-11-17 12:43:17 +01:00
Dr. David von Oheimb
92df52119e Fix verbosity of CMP client diagnostics
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
2021-11-17 12:43:17 +01:00
Pauli
7f64962751 Add documentation for some of the missing environment variables.
Where document already exists, it has been linked to.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17044)
2021-11-17 18:54:31 +10:00
Pauli
7cc5738a56 Fix Coverity 1493746: constant expression result
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17034)
2021-11-17 08:15:35 +10:00
Peiwei Hu
e3f0362407 BIO_read_filename: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17033)
2021-11-16 17:34:11 +01:00
Peiwei Hu
bf4ceeded1 EVP_PKEY_keygen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17031)
2021-11-16 17:33:14 +01:00
Peiwei Hu
6e0b05f300 EVP_PKEY_paramgen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17030)
2021-11-16 17:32:17 +01:00
Peiwei Hu
e2e5e72d5a EVP_DigestVerifyFinal: fix test function and invocation
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17029)
2021-11-16 17:30:57 +01:00
Peiwei Hu
6d77473251 EVP_Cipher: fix the incomplete return check
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17027)
2021-11-16 17:28:23 +01:00
Shane Lontis
35530b117f Add RSA encrypt demo
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16283)
2021-11-16 15:58:23 +00:00
Andrew Galante
3066cf2614 Abstract out policy and extensions in CA.pl
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13819)
2021-11-16 15:48:08 +00:00
Matt Caswell
8c08c8b37c Add a test for creating ECX private keys that are too short
We expect attempting to create such short keys to fail

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17041)
2021-11-16 13:21:06 +00:00
Matt Caswell
50938aec35 Don't create an ECX key with short keys
If an ECX key is created and the private key is too short, a fromdata
call would create the key, and then later detect the error and report it
after freeing the key. However freeing the key was calling
OPENSSL_secure_clear_free() and assuming that the private key was of the
correct length. If it was actually too short this will write over memory
that it shouldn't.

Fixes #17017

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17041)
2021-11-16 13:21:06 +00:00
Peiwei Hu
c9007bda79 RAND_bytes_ex: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17032)
2021-11-16 20:01:13 +10:00
Matt Caswell
e48fe79840 Clarify the PEM docs
Make it clear how the existing PEM functions can be used to create an
X509, X509_REQ or X509_CRL object with an associated libctx/propq.

Fixes #16966

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17012)
2021-11-15 16:31:03 +00:00
Matt Caswell
07f620e3ac Reset the rwstate before calling ASYNC_start_job()
If an async job pauses while processing a TLS connection then the
rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should
reset the rwstate back to SSL_NOTHING. In fact we can do this
unconditionally since if we're about to call ASYNC_start_job() then either
we are about to start the async job for the first time (in which case the
rwstate should already by SSL_NOTHING), or we are restarting it after a
pause (in which case reseting it to SSL_NOTHING is the correct action).

Fixes #16809

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17013)
2021-11-15 14:37:08 +00:00
Dr. David von Oheimb
7a9b09feaa BIO_s_connect(): Enable BIO_gets()
Fixes #16028

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16030)
2021-11-15 14:40:16 +01:00
Tomas Mraz
bef9b48e50 Add null digest implementation to the default provider
This is necessary to keep compatibility with 1.1.1.

Fixes #16660

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17016)
2021-11-15 09:25:42 +01:00
Matt Caswell
293e251e6f Extend the test_multi_load() test
Run more threads and load the legacy provider (which uses a child lib ctx)
in order to hit more possible thread failures.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
addbd7c9d7 Hold the flag_lock when calling child callbacks
Not holding the flag lock when creating/removing child providers can
confuse the activation counts if the parent provider is loaded/unloaded
at the same time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
4aced11785 Use a write lock during ossl_provider_find()
A "find" operation on a stack can end up sorting the underlying stack. In
this case it is necessary to use a "write" lock to synchronise access to
the stack across multiple threads.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
1e8ed3e596 Correctly activate the provider in OSSL_PROVIDER_try_load
If during OSSL_PROVIDER_try_load() we attempt to load a provider, but
adding to the store gives back a different provider, then we need to
ensure this different provider has its activation count increased.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
cad22202a3 Stop receiving child callbacks in a child libctx when appropriate
We should stop receiving child callbacks if we're about to free up
the child libctx. Otherwise we can get callbacks when the libctx is half
freed up.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
e39bd62151 Don't bail out during provider deactivation if we don't have store
A provider may have been activated, but failed when being added to
the store. At this point we still need to deactivate it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
dc6d9ede62 Don't try and do ossl_provider_find in ossl_provider_new
We leave it to the caller to confirm that the provider does not exist
in the store. If it does exist then later adding it to the store will
fail.

It is possible that the provider could be added to the store in
between the caller checking, and the caller calling ossl_provider_new.
We leave it to the caller to properly handle the failure when it
attempts to add the provider to the store. This is simpler than
having ossl_provider_new try to handle it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
464c2b988e Remove the isinited variable from child_prov_globals
This variable might have made sense at some point but it not longer does
so. It was being used to check whether we are still initing or not. If we
are still initing then the assumption was that we already hold the lock.
That assumption was untrue. We need to always take the lock.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
3b9de0c9aa Avoid a race in init_thread_stop()
init_thread_stop() is called when a thread is stopping. It calls all
the callbacks that need to know about the demise of this thread. However,
the list of callbacks is also available globally and may be updated by
other threads so we need to make sure we use the right lock.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
c59fc87b33 Don't attempt to deactive child providers if we don't need to
If a provider doesn't have any child providers then there is no need
to attempt to remove them - so we should not do so. This removes some
potentialy thread races.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:14 +00:00
Matt Caswell
6de9214a50 Don't write to the globals ossl_property_true and ossl_property_false
These global variables were previously overwritten with the same value
every time we created a new OSSL_LIB_CTX. Instead we preinitialise them
with the correct values, and then confirm that settings for each
OSSL_LIB_CTX agree with the preinitialised values.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
2021-11-12 17:16:01 +00:00
Tomas Mraz
3641f04fb0 doc: Document outcome of multiple digestsign/digestverify calls
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
2021-11-12 16:39:43 +01:00
Tomas Mraz
8cbfc4f67b evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
2021-11-12 16:39:43 +01:00
Tomas Mraz
3ffd23e952 providers: Allow possible reinitialization in all signature algorithms
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
2021-11-12 16:39:33 +01:00
Tomas Mraz
816f72d088 test: Add testing of reinitialization via EVP_DigestSignInit()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
2021-11-12 16:39:33 +01:00
Tomas Mraz
ae6b68b761 do_sigver_init: Allow reinitialization of an existing operation.
Fixes #16936

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
2021-11-12 16:39:33 +01:00
PW Hu
680827a15f Fix return value checking of BN_check_prime invocations
Negative return value indicates an error so we bail out.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16975)
2021-11-12 11:20:48 +01:00
Pauli
ed5b26ce0b Add return value NULL checks that were missing
Issues located by Brian Carpenter of Geeknik's Farm.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17007)
2021-11-12 19:53:02 +10:00
Pauli
87fd67d997 x509: use safe maths calls for overflow detection
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:47 +10:00
Pauli
d362db7cd1 run-checker: add CI to test safe_math without compiler support.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:46 +10:00
Pauli
8347bfa04f stack: increase the reallocation ratio
This change increases the reallocation ratio from 1.5 to 1.6.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:46 +10:00
Pauli
bc4efcb0d0 test: add unit tests for integer overflow helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:46 +10:00
Pauli
cccfc66828 doc: document the internal integer overflow helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:46 +10:00
Pauli
b037e3637a header: add integer overflow helper functions
Define a number of helper functions that ease the difficulty of detecting
integer overflows.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
2021-11-12 19:49:46 +10:00
Dr. David von Oheimb
00cf3a2d30 25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
2021-11-11 20:18:56 +01:00
Dr. David von Oheimb
adbd77f6d7 X509: Fix handling of AKID and SKID extensions according to configuration
Fixes #16300

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
2021-11-11 20:18:55 +01:00
Job Snijders
b0c1214e1e Add OID for RPKI id-ct-ASPA
References: draft-ietf-sidrops-aspa-profile
"A Profile for Autonomous System Provider Authorization" (ASPA)

OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17002)
2021-11-11 13:02:29 +01:00