Commit Graph

28931 Commits

Author SHA1 Message Date
Matt Caswell
f5afac4bda Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)
2021-04-22 14:38:44 +01:00
Tomas Mraz
d97f087063 Fix build failure with MSVC
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14983)
2021-04-22 14:24:44 +01:00
Matt Caswell
cd28d129b6 Avoid the need for Configure time 128-bit int detection
We just detect this at compile time instead.

This avoids cross-compilation problems where the host platform supports
128-bit ints, but the target platform does not (or vice versa). This was
causing a problem on some platforms where, dependent on the CFLAGS, 128 bit
ints were either supported or not.

Fixes #14804

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14941)
2021-04-22 08:31:26 +01:00
MichaM
af9fb19a47 Fix typos
CLA: trivial

Signed-off-by: MichaM <contact-micha+github@posteo.de>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14879)
2021-04-22 11:16:35 +10:00
Nicola Tuveri
16df436df2 Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes
For some reason `keymgmt_gettable_params` and `keymgmt_settable_params`
seem to be the only prototypes in `core_dispatch.h` without named
arguments.

This is annoying if `core_dispatch.h` is being parsed to extract
information and also for developers who would like the header to be
self-contained, without having to refer to the documentation every time
to check what is supposed to be passed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14950)
2021-04-22 11:08:36 +10:00
Dr. David von Oheimb
3e73111d13 ASN.1: Add some sanity checks for input len <= 0; related coding improvements
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)
2021-04-21 15:06:21 +02:00
Dr. David von Oheimb
db76a35e26 tasn_dec.c: Add checks for it == NULL arguments; improve coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)
2021-04-21 15:06:21 +02:00
Dr. David von Oheimb
c0e724fcbe DOC: Clarify EVP_MAC_init() params vs. EVP_MAC_CTX_set_params()
Fixes #14855

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14937)
2021-04-21 14:12:54 +02:00
Rich Salz
5c42f7aa64 Use build.info not file-wide ifndef
If configured with no-cms, handle it in build.info like the other options.
I guess I missed doing this file in PR #11250

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14918)
2021-04-21 11:06:18 +02:00
Richard Levitte
1fbf7079e7 STORE: Discard the error report filter in crypto/store/store_result.c
The error report filter was fragile, as it could potentially have to
be updated when other parts of libcrypto got updated, making a goose
chase and a maintenance problem.

We change this to regard d2i errors as something we don't care so much
about, since they are mainly part of the guessing mechanism.  The
success of the ossl_store_handle_load_result() call is based on
whether an object was actually created or not anyway.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Richard Levitte
7aef200089 TEST: Adapt the EVP test
The EVP test didn't recognise ERR_R_UNSUPPORTED, now does

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Richard Levitte
9cc97ddf3c Adapt our decoder implementations to the new way to indicate succes / failure
This includes the special decoder used in our STOREMGMT 'file:' implementation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Richard Levitte
f99659535d ENCODER & DECODER: Allow decoder implementations to specify "carry on"
So far, decoder implementations would return true (1) for a successful
decode all the way, including what the callback it called returned,
and false (0) in all other cases.

This construction didn't allow to stop to decoding process on fatal
errors, nor to choose what to report in the provider code.

This is now changed so that decoders implementations are made to
return false only on errors that should stop the decoding process from
carrying on with other implementations, and return true for all other
cases, even if that didn't result in a constructed object (EVP_PKEY
for example), essentially making it OK to return "empty handed".

The success of the decoding process is now all about successfully
constructing the final object, rather than about the return value of
the decoding chain.  If no construction is attempted, the central
decoding processing code concludes that whatever the input consisted
of, it's not supported by the available decoder implementations.

Fixes #14423

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Petr Gotthard
a2502862f6 Fix memory leak in X509_REQ
The propq is strdup'ed in X509_REQ_new_ex, but never freed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14907)
2021-04-21 09:00:20 +02:00
Dr. David von Oheimb
4e030ed45d apps/cmp.c: Fix double free on OSSL_CMP_CTX_set1_p10CSR() failure
Fixes #14910
Also slightly improve further error handling of setup_request_ctx().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14929)
2021-04-21 07:23:20 +02:00
Pauli
2ec6491669 asn1: fix indentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
c4685815bf dsa: remove unused macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
42e7d043f0 srp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
3f700d4b95 pem: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
e27fea4640 ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
27344bb82a cms: remove most references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
192d500878 x509: remove most references to EVP_sha1()
Fixes #14387

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Pauli
6bcbc36985 test: fix double free problems.
In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.

The same problem also happens at line 593 and line 609, which causes two double free bugs.

Bugs reported by @Yunlongs

Fixes 14916

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
2021-04-21 09:17:22 +10:00
Pauli
efe8d69daa engine: fix double free on error path.
In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.

Bug reported by @Yunlongs

Fixes #14915

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
2021-04-21 09:17:22 +10:00
Pauli
db78c84eb2 ts: fix double free on error path.
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.

After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.

Bug reported by @Yunlongs

Fixes #14914

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
2021-04-21 09:17:22 +10:00
Pauli
b06450bcf7 srp: fix double free,
In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.

Bug reported by @Yunlongs

Fixes #14913

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
2021-04-21 09:17:22 +10:00
Pauli
4ecb19d109 params_dup: fix off by one error that allows array overreach.
The end of loop test allows the index to go one step too far to be able to
terminate the param array but the end of list record is still added.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14922)
2021-04-21 08:57:42 +10:00
Dr. David von Oheimb
1c0eede982 Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14128)
2021-04-20 10:47:24 +02:00
Rich Salz
a78c7c0bfe Flip ordering back
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
2021-04-20 10:12:29 +02:00
Rich Salz
99adfa455c Fetch before get-by-name
This causes tests to break.  Pushing it to help others debug.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
2021-04-20 10:12:29 +02:00
Rich Salz
606a417fb2 Fetch and free cipher and md's
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
2021-04-20 10:12:29 +02:00
Juergen Christ
c39352e4e4 Fix compile errors on s390.
Commit f6c95e46c0 added an "origin" field to
EVP_CIPHER and EVP_MD structures but did not update the s390 specific
implementations.  Update these to fix compile errors on s390.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14926)
2021-04-20 09:57:19 +02:00
Rich Salz
72f649e061 Remove extra trailing semicolon
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14903)
2021-04-20 07:09:58 +10:00
Tomas Mraz
cd0aca5320 Update krb5 module to latest release
Fixes #14902

Also add workaround of `sudo hostname localhost` for the
intermittent test failures seen in CI.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14872)
2021-04-19 11:46:39 -07:00
Dr. David von Oheimb
16b8862d80 PKCS12 etc.: Add hints on using -legacy and -provider-path options
Fixes #14790

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14891)
2021-04-19 16:23:46 +02:00
Matt Caswell
ee203a87ff Add a test for OSSL_LIB_CTX_set0_default
Also includes testing for OSSL_LIB_CTX_get0_global_default().

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:52:18 +01:00
Matt Caswell
978e323a4d Add the function OSSL_LIB_CTX_get0_global_default()
An API function for obtaining the global default lib ctx.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:52:18 +01:00
Matt Caswell
92b20fb8f7 Change the semantics of OSSL_LIB_CTX_set0_default() NULL handling
Change things so that passing NULL to OSSL_LIB_CTX_set0_default() means
keep the current library context unchanged.

This has the advantage of simplifying error handling, e.g. you can call
OSSL_LIB_CTX_set0_default in an error/finalisation block safe in the
knowledge the if the "prevctx" was never set then it will be a no-op (like
calling a "free" function with NULL).

Fixes #14593

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:50:29 +01:00
Matt Caswell
145a4c871d Remove a TODO(3.0) from keymgmt_lib.c
The TODO suggest a possible refactoring. The refactoring doesn't seem
necessary at this stage. If it is required later it can be done without
affecting external APIs - so just remove the TODO.

Fixes #14397

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14888)
2021-04-19 10:45:20 +01:00
Matt Caswell
21d1994faf Don't worry about magic in the Makefile for 3.0
We remove a TODO(3.0) from the unix Makefile template. The current
approach works. It can be improved later.

Fixes #14403

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14887)
2021-04-19 10:41:51 +01:00
Matt Caswell
57e7401fc5 Fix some TODO(3.0) occurrences in ssl/t1_lib.c
One was related to probing for the combination of signature and hash
algorithm together. This is currently not easily possible. The TODO(3.0)
is converted to a normal comment and I've raised the problem as issue
number #14885 as something to resolve post 3.0.

The other TODO was a hard coded limit on the number of groups that could
be registered. This has been amended so that there is no limit.

Fixes #14333

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14886)
2021-04-19 10:39:12 +01:00
Tomas Mraz
b247113c05 Detect low-level engine and app method based keys
The low-level engine and app method based keys have to be treated
as foreign and must be used with old legacy pmeths.

Fixes #14632

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14859)
2021-04-19 11:36:16 +02:00
Tanzinul Islam
5ae52001e1 Remove crypt32.lib from C++Builder configuration
`import32.lib` serves the purpose for most Windows API libraries, including this one. For example, with a GNU `grep` utility:

>tdump %BDS%\lib\win32c\release\import32.lib | grep -B 3 -A 1 CertOpenStore
171E32 COMENT  Purge: Yes, List: Yes, Class: 160 (0A0h), SubClass: 1 (01h)
    Dynamic link import (IMPDEF)
      Imported by: name
      Internal Name: CertOpenStore
      Module Name: CRYPT32.dll

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:55 +02:00
Tanzinul Islam
daf98015aa Link with uplink module
The Clang-based `bcc32c.exe` expects AT&T syntax for inline assembly.
References:
 - http://docwiki.embarcadero.com/RADStudio/Sydney/en/Differences_Between_Clang-enhanced_C%2B%2B_Compilers_and_Previous-Generation_C%2B%2B_Compilers#Inline_Assembly
 - https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html
 - https://sourceware.org/binutils/docs/as/i386_002dVariations.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:55 +02:00
Tanzinul Islam
491a1e3363 Link with .def files
MSVC's `link.exe` automatically finds `__cdecl` C functions (which are
decorated with a leading underscore by the compiler) when they are
mentioned in a `.def` file without the leading underscore.  This is an
[under-documented feature][1] of MSVC's `link.exe`.  C++Builder's
`ilink32.exe` doesn't do this, and thus needs the name-translation in
the `.def` file.  Then `implib.exe` needs to be told to re-add it.

(The Clang-based `bcc32c.exe` doesn't implement the [`-vu` or `-u-`][2]
options to skip adding the leading underscore to `__cdecl` C function
names, so this is the only way to have things work with non-underscored
export names in the DLLs.)

[1]: https://github.com/MicrosoftDocs/cpp-docs/issues/2653
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Options_Not_Supported_by_Clang-enhanced_C%2B%2B_Compilers#BCC32_Options_that_Are_Not_Supported_by_Clang-enhanced_C.2B.2B_Compilers

Also silence linker warnings on duplicate symbols and ensure that error-
case cleanup in link rules work in C++Builder's `make.exe`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:55 +02:00
Tanzinul Islam
16f2a44435 Generate dependency information
The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead.  Therefore, change the dependency-
emitting command to use `$(CPP)` instead of `$(CC)`, which which also
uncovered the [existing bug of `2>&1` before `> $dep`][2].  Also
C++Builder's `make.exe` doesn't implement `2>&1` in its command runner,
so wrap the whole line in a `cmd /C`.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor
[2]: https://ss64.com/nt/syntax-redirection.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:55 +02:00
Tanzinul Islam
96d4ec6724 Avoid more MSVC-specific C runtime library functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00
Tanzinul Islam
6afb36342d Build resource files
We need to compile with [brcc32.exe][1] and link with [ilink32.exe][2].
The latter expects the `.res` files to be given in the final comma-
separated section in the command line (after the `.def` file).

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/BRCC32.EXE,_the_Resource_Compiler
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Using_ILINK32_and_ILINK64_on_the_Command_Line#Command-Line_Elements

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00
Tanzinul Islam
5fee3fe276 Support DLL builds + Fix C RTL variants
We need to generate a import library without the version in the
filename. MSVC's `link.exe` accommodates this with the [`/implib:`
option][1], while C++Builder needs a separate run of [`implib.exe`][2].
Also fix the variants of the [C runtime library and startup objects][3].

[1]: https://docs.microsoft.com/en-us/cpp/build/reference/implib-name-import-library?view=msvc-160
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/IMPLIB.EXE,_the_Import_Library_Tool_for_Win32
[3]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Static_Runtime_Libraries

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00
Tanzinul Islam
c4f4cb14e3 Ensure cw32mt.lib and import32.lib are linked to in no-sock mode
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
2021-04-19 11:05:54 +02:00