Commit Graph

27948 Commits

Author SHA1 Message Date
Matt Caswell
730bee5253 Skip cms tests using RC2 if no legacy provider
Fixes #12510

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
abec331fd3 Don't run a legacy specific PKCS12 test if no legacy provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
8891a12b5b Don't use the legacy provider in test_store if its not available
If we don't have the legacy provider then we avoid having to use it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:34 +00:00
Matt Caswell
d5e8d26008 Don't load the legacy provider in test_evp_libctx unnecessarily
We don't need the legacy provider, so don't load it. This avoids
problems in a no-legacy build

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
f2130201f1 Don't load the legacy provider if not available in test_enc_more
If the legacy provider isn't available then we shouldn't attempt to
load or use it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
81959b26a3 Skip testing ciphers in the legacy provider if no legacy
test_enc should not test ciphers that are not available due to a lack
of the legacy provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
39e3daeead Don't load the legacy provider in endecoder_legacy_test
In spite of the name the endecoder_legacy_test does not need the
legacy provider. Therefore we avoid loading it so that no-legacy
builds still run the test successfully.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
49da54b9fa Don't use legacy provider if not available in test_ssl_old
If we've been configured with no-legacy then we should not attempt to
load the legacy provider.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
5ae54dbac1 Fix sslapitest.c if built with no-legacy
We skip a test that uses the no-legacy option. Unfortuantely there is
no OPENSSL_NO_LEGACY to test, so we just check whether we were successful
in loading the legacy provider - and if not we skip the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
3a43b30ebb Skip evp_test cases where we need the legacy prov and its not available
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
2020-12-11 10:56:22 +00:00
Matt Caswell
a67c70107c Don't use no-asm in the Github CIs
no-asm has proven to be too slow, therefore we don't use it in the Github
CI builds and instead rely on it being covered by run-checker.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13607)
2020-12-11 10:54:40 +00:00
Shane Lontis
acd3e548bc Add fips self tests for all included kdf
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13480)
2020-12-11 10:59:32 +10:00
Shane Lontis
f0591559f6 Add validate method to ECX keymanager
Fixes #11619

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13459)
2020-12-11 10:53:19 +10:00
Dr. David von Oheimb
1a683b80dc apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
This includes a general correction in the code (now using the X509V3_CTX_REPLACE flag)
and adding a prominent clarification in the documentation:

    If multiple entries are processed for the same extension name,
    later entries override earlier ones with the same name.

This is due to an RFC 5280 requirement - the intro of its section 4.2 says:

    A certificate MUST NOT include more than one instance of a particular extension.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
98ba251fe6 openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
8ca661abd7 v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
f902716f24 X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
374f72cedd openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
9c3a52f2a2 apps/x509.c: Factor out common aspects of X509 signing
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
6c9515b763 apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
d858e743a9 apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
e9701a0141 x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
7c051ecce4 apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
2020-12-10 15:19:55 +01:00
Dr. David von Oheimb
bca7ad6efd Use adapted test_get_libctx() for simpler test setup and better error reporting
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13001)
2020-12-10 11:01:26 +01:00
Fangming.Fang
5ea64b456b Read MIDR_EL1 system register on aarch64
MIDR_EL1 system register exposes microarchitecture information so that
people can make micro-arch related optimization such as exposing as
much instruction level parallelism as possible.

MIDR_EL1 register can be read only if HWCAP_CPUID feature is supported.

Change-Id: Iabb8a36c5d31b184dba6399f378598058d394d4e

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11744)
2020-12-09 16:17:17 +01:00
Matt Caswell
6582661f7b Test that we can negotiate TLSv1.3 if we have an SNI callback
If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13304)
2020-12-09 14:46:17 +00:00
Matt Caswell
ebda646db6 Modify is_tls13_capable() to take account of the servername cb
A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.

Fixes #13291

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13304)
2020-12-09 14:46:16 +00:00
Tomas Mraz
7eea331eab v3nametest: Make the gennames structure static
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13635)
2020-12-09 13:41:30 +01:00
Nan Xiao
74c8dd1c51 Fix typo in OPENSSL_malloc.pod
CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13632)
2020-12-09 13:36:02 +01:00
Pauli
1d180bbe8e rand: allow seed-src to be missing
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13640)
2020-12-09 22:28:52 +10:00
Pauli
a678506e2f rand: don't leak memory
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13640)
2020-12-09 22:28:52 +10:00
Pauli
8389eeea2c rand seed: include lock and unlock functions.
This satisfies EVP's RAND layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13640)
2020-12-09 21:46:38 +10:00
Pauli
e37b307e02 Fix error clash in build
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13640)
2020-12-09 21:46:38 +10:00
Pauli
81aef6ba72 rand: add a provider side seed source.
This allows the operating system sources that OpenSSL supports to be
used directly as RNGs.  It also allows DRBG seeding to be explicitly
specified rather than being left to a fall back case.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13455)
2020-12-09 12:20:32 +10:00
Richard Levitte
d8975dec0c TLS: Use EVP_PKEY_get_group_name() to get the group name
For the moment, we translate the result to a NID, because that's still
used in several locations in libssl.  Future development should change
all the internals to be name based instead.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13436)
2020-12-08 20:13:54 +01:00
Richard Levitte
88bddad42e EVP: Add EVP_PKEY_get_group_name() to extract the group name of a pkey
This replaces the internal evp_pkey_get_EC_KEY_curve_nid()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13436)
2020-12-08 20:13:54 +01:00
Richard Levitte
a73a189222 EVP: constify the EVP_PKEY_get_*_param() argument |pkey|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13436)
2020-12-08 20:13:54 +01:00
David Carlier
8d4b5260d2 Add MAP_CONCEAL from OpenBSD which has similar purpose but on mmap
call level.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13394)
2020-12-08 18:27:07 +01:00
David Carlier
27db611872 CRYPTO_secure_malloc_init: Add FreeBSD support for secure-malloc dont-dump-region.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13394)
2020-12-08 18:27:07 +01:00
Daniel Bevenius
c60b572319 STORE: clear err after ossl_store_get0_loader_int
This commit clears the error that might have been set when
ossl_store_get0_loader_int has been called as it will try to retrieve
a loader for the scheme on an empty store, which will cause the error
OSSL_STORE_R_UNREGISTERED_SCHEME to be set.

The motivation for this after returning from
ossl_store_get0_loader_int, OSSL_STORE_attach will continue and try to
fetch a OSSL_STORE_LOADER from the provider.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12901)
2020-12-08 18:23:29 +01:00
Matt Caswell
e0b5058c11 Fix no-err
The ERR_load_*_strings() functions were not being defined in a no-err
build. This is an API break since in 1.1.1 they were still present in a
no-err build, but were no-ops. This was also causing a failure in
test_symbol_presence. We revert to the way things were done in 1.1.1,
i.e. in a no-err build the functions are still present but are no-ops.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13598)
2020-12-08 16:10:17 +00:00
Matt Caswell
8778f0eb8e Fix a compilation failure with no-tls_1_2
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13596)
2020-12-08 15:53:18 +00:00
Matt Caswell
b1fdbc688c Fix a test failure with no-tls1_3
If we're using TLSv1.2 then the test_sigalgs_available test needs to be
careful which ciphersuite is selected in order for the test to behave
correctly.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13596)
2020-12-08 15:53:18 +00:00
Richard Levitte
142841ddc4 providers/common/der/build.info: Improve checks of disabled algos
This protects us from unwanted GENERATE statements in particular.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13626)
2020-12-08 16:16:53 +01:00
Matt Caswell
1e13198fa7 Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2020-12-08 11:45:55 +00:00
Matt Caswell
22b88fc9c0 Add a test for encoding/decoding using an invalid ASN.1 Template
If you have a CHOICE type that it must use explicit tagging - otherwise
the template is invalid. We add tests for this.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-12-08 10:17:03 +00:00
Matt Caswell
97ab3c4b53 Add a test for GENERAL_NAME_cmp
Based on a boringssl test contributed by David Benjamin

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-12-08 10:17:03 +00:00
Matt Caswell
3db2c9f3e5 Complain if we are attempting to encode with an invalid ASN.1 template
It never makes sense for multi-string or CHOICE types to have implicit
tagging. If we have a template that uses the in this way then we
should immediately fail.

Thanks to David Benjamin from Google for reporting this issue.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-12-08 10:17:03 +00:00
Matt Caswell
43a7033a01 Check that multi-strings/CHOICE types don't use implicit tagging
It never makes sense for multi-string or CHOICE types to use implicit
tagging since the content would be ambiguous. It is an error in the
template if this ever happens. If we detect it we should stop parsing.

Thanks to David Benjamin from Google for reporting this issue.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-12-08 10:17:03 +00:00
Matt Caswell
b33c48b75a Correctly compare EdiPartyName in GENERAL_NAME_cmp()
If a GENERAL_NAME field contained EdiPartyName data then it was
incorrectly being handled as type "other". This could lead to a
segmentation fault.

Many thanks to David Benjamin from Google for reporting this issue.

CVE-2020-1971

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-12-08 10:16:50 +00:00