Commit Graph

29221 Commits

Author SHA1 Message Date
Dr. David von Oheimb
eca4826a29 test/certs/setup.sh: Fix two glitches
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Dr. David von Oheimb
c774f4e50f update test/certs/ee-pathlen.pem to contain SKID and AKID
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Dr. David von Oheimb
4f449d90dd test/certs/setup.sh: structural cleanup
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14413)
2021-05-05 09:51:39 +02:00
Rich Salz
a485561b2e Fetch cipher-wrap after loading providers.
Use official (first) names for wrapping algorithms.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14182)
2021-05-05 09:46:56 +02:00
Shane Lontis
2b05439f84 Fix KMAC bounds checks.
Setting an output length higher than 8191 was causing a buffer overflow.
This was reported by Acumen (FIPS lab).

The max output size has increased to ~2M and it now checks this during set_parameters.

The encoder related functions now pass in the maximum size of the output buffer so they
can correctly check their size. kmac_bytepad_encode_key() calls bytepad twice in
order to calculate and check the length before encoding.

Note that right_encode() is currently only used in one place but this
may change if other algorithms are supported (such as TupleHash).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15106)
2021-05-05 17:39:27 +10:00
Tomas Mraz
029875dc5b Bump HMAC_MAX_MD_CBLOCK to 200 due to SHA-3
The maximum (theoretical) block size of SHA3 is 200 bytes.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15125)
2021-05-05 09:30:29 +10:00
Richard Levitte
355e1f041c DOCS: Mention that libcrypto has helper functions for OSSL_PARAMs
Fixes #11165

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15073)
2021-05-05 09:29:08 +10:00
Dr. David von Oheimb
79a2bccdb0 HTTP client: Correct the use of optional proxy URL and its documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15104)
2021-05-04 18:27:57 +02:00
Dr. David von Oheimb
9520fe5f49 testutil/load.c: Add checks for file(name) == NULL
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15120)
2021-05-04 18:26:21 +02:00
Dr. David von Oheimb
8b25b0eb99 BIO_eof() and OSSL_STORE_eof(): Make sure to return 1 on error; improve related doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:56 +02:00
Dr. David von Oheimb
d9efb24de8 OSSL_DECODER_from_bio() Prevent spurious decoding error at EOF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:48 +02:00
Dr. David von Oheimb
6c3d101a62 APPS load_key_certs_crls(): Correct the 'expect' arg calculation for OSSL_STORE_expect()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:48 +02:00
Dr. David von Oheimb
6e328484ab OSSL_STORE_expect(): Improve error handling and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:48 +02:00
Dr. David von Oheimb
7031f5821c OCSP: Minor improvements of documentation and header file
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15103)
2021-05-04 18:14:24 +02:00
Tomas Mraz
bad0d6c789 fips-checksums: The define for fips module is FIPS_MODULE
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15132)
2021-05-04 13:08:33 +02:00
Matt Caswell
f9548d21ba Document the new core BIO public API support
Fixes #14409

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Matt Caswell
93954ab050 Add a test for the public core bio API
Check that reading/writing to a core bio via BIO_new_from_core_bio()
works as expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Matt Caswell
b0ee1de9ab Create libcrypto support for BIO_new_from_core_bio()
Previously the concept of wrapping an OSSL_CORE_BIO in a real BIO was an
internal only concept for our own providers. Since this is likely to be
generally useful, we make it a part of the public API.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Tomas Mraz
e3188bae04 Run coveralls daily and not exactly at midnight
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15121)
2021-05-04 12:59:49 +02:00
Tomas Mraz
9deb202e6a coveralls: Enable fips as it is disabled by default
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15121)
2021-05-04 12:59:49 +02:00
Petr Gotthard
a0baa98b5c apps: Switch to X509_REQ_verify_ex
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15118)
2021-05-04 12:58:15 +02:00
Pauli
67cd43084c test: fix failure with FIPS and no-des configured.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15105)
2021-05-04 20:39:28 +10:00
Richard Levitte
5432d827ec APPS: Add passphrase handling in the "rsa" and "dsa" commands
They completely ignored any passphrase related setting.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15119)
2021-05-04 11:40:31 +02:00
Richard Levitte
49ce003740 APPS: Set a default passphrase UI for the "ec" command
Fixes #15114

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15119)
2021-05-04 11:40:31 +02:00
Richard Levitte
f97bc7c424 [TEMPORARY] make 'make update' verbose in ci.yml
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
49f699b54d GitHub CI: ensure that unifdef is installed
This is required for 'make update' and fips checksums

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
be22315235 FIPS module checksums: add scripts and Makefile rule
This adds the following scripts:

util/lang-compress.pl:

Compress source code, which language is determined by the first argument.
For the moment, we know 'perl' (perlasm source code), 'C' (C source code)
and 'S' (Assembler with C preprocessor directives).
This removes comments and empty lines, and compresses series of horizontal
spaces to one single space in the languages where that's appropriate.

util/fips-checksums.sh:

Takes source file names as arguments, pushes them through
util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates
the checksum on the result.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
27ca03ea82 Unix build file: Add a target to create providers/fips.module.sources
This file will be the basis for the FIPS module checksum calculation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:32:16 +02:00
Richard Levitte
841a438c7f Add OpenSSL::Config::Query and use it in configdata.pm
OpenSSL::Config::Query is a configuration querying tool that's meant
to make it easier to query the diverse configuration data for info.
That's much easier than to dig through all the parts of %unified_info.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
2021-05-04 11:29:56 +02:00
Richard Levitte
02669b677e Windows build file: add forgotten quotes on POD->html command line
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15084)
2021-05-04 10:16:33 +02:00
Richard Levitte
0d6c144e8d OpenSSL::Test: When prefixing command with $^X on Windows, fix it up!
The perl interpreter name itself might contain spaces and need quoting.
__fixup_prg() does this for us.

Fixes #14256

Co-authored-by: Tomáš Mráz <tomas@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15084)
2021-05-04 10:16:33 +02:00
Pauli
d1a770414a acvp-test: disable the ACVP testing code by default
It's only useful for the FIPS lab and shouldn't be in production.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15092)
2021-05-02 17:13:45 +10:00
FdaSilvaYY
045a893091 ssl: fix possible ref counting fields use before init.
`strdup(propq)` failure is doing a `goto err;` from where `SSL_CTX_free` is called.
The possible call is made before reference and lock fields setup.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15052)
2021-05-01 18:23:21 +02:00
Hubert Kario
dd28d1c4d3 man: s_server: fix text repetition in -alpn description
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15099)
2021-05-01 17:53:24 +02:00
Rich Salz
f4407385f5 APPS: Document the core of the opt_ API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14995)
2021-05-01 13:11:49 +02:00
Dmitry Belyavskiy
c0f4400c40 Use OCSP-specific error code for clarity
Fixes #12735

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/xxxxx)
2021-05-01 13:09:15 +02:00
Tomas Mraz
39da327294 Simplify AppVeyor configuration
Adjust the stuff we are building and testing in various
configurations to trim the run time a little bit.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15087)
2021-05-01 13:13:11 +10:00
Tomas Mraz
535130c39d Add -latomic to threads enabled 32bit linux builds
It might not be necessary with the most recent toolchain versions
but apparently many 32bit linux architectures and commonly used
toolchain versions require this.

It is also harmless to include even on architectures that do not
need it.

Fixes #14083

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15086)
2021-05-01 13:10:01 +10:00
Shane Lontis
38e12964a6 Fix no-fips-securitychecks test failure
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15091)
2021-05-01 13:09:07 +10:00
Petr Gotthard
91034b68b3 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex
Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it
works with external providers.
Since EVP_DigestSignInit_ex requires a digest name instead of
an EVP_MD pointer, the apps using do_sign_init() had to be modified
to pass char* instead of EVP_MD*.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15014)
2021-04-30 21:02:59 +02:00
Daniel Bevenius
4489655c23 Fix typo in OSSL_DECODER_CTX_set_input_structure
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15085)
2021-04-30 16:38:57 +02:00
Richard Levitte
b7f7a15f6a STORE: Fix the repeated prompting of passphrase
OSSL_STORE's loading function could prompt repeatedly for the same
passphrase.  It turns out that OSSL_STORE_load() wasn't caching the
passphrase properly.  Fixed in this change.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15064)
2021-04-30 16:02:29 +02:00
Tomas Mraz
b594a22717 SM2 signatures work correctly only with SM3 digests
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15074)
2021-04-30 15:15:54 +02:00
Tomas Mraz
2c181ac5a6 sm2: Cleanup handling of DIGEST and DIGEST_SIZE parameters
Fixes #14873

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15074)
2021-04-30 15:15:54 +02:00
Richard Levitte
c230e938c7 CORE: Rework the pre-population of the namemap
The pre-population of names has become more thorough.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
2021-04-30 11:15:00 +02:00
Richard Levitte
e73fc81345 STORE: Use the 'expect' param to limit the amount of decoders used
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.

This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15066)
2021-04-30 11:15:00 +02:00
Pauli
38230e3011 acvp: fix the no-acvp_test build
A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15082)
2021-04-30 17:51:44 +10:00
Shane Lontis
455f254252 Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:53 +10:00
Shane Lontis
857c223bf7 Fix memory leak in load_key_certs_crls() when using stdin.
A newly created BIO object within this function calls
OSSL_STORE_attach() which increases the ref count to 2.
OSSL_STORE_close() then decrements the ref count by 1, so the BIO still
remains.

The following new test was picking up this leak using..
> valgrind openssl crl -hash -noout < test/testcrl.pem

Not quite sure why the existing tests were not picking this up
since they appear to run through a similiar path.. such as
> valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:53 +10:00
Shane Lontis
e9d62da6c3 Fix CRL app so that stdin works.
Fixes #15031

The maybe_stdin needed to be passed to load_key_certs_crls().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:52 +10:00