Richard Levitte [Wed, 16 Jun 2021 08:49:31 +0000 (10:49 +0200)]
Build file templates: Fix in2script dependencies
The in2script functions generates the build file rules for generating
scripts from .in files. A dependency on configdata.pm is needed,
since it's being used for this.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15792)
Richard Levitte [Tue, 15 Jun 2021 08:18:19 +0000 (10:18 +0200)]
CORE: Do a bit of cleanup of core fetching
Some data, like the library context, were passed both through higher
level callback structures and through arguments to those same higher
level callbacks. This is a bit unnecessary, so we rearrange the
callback arguments to simply pass that callback structure and rely on
the higher level fetching functionality to pick out what data they
need from that structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15750)
Shane Lontis [Tue, 15 Jun 2021 09:56:36 +0000 (19:56 +1000)]
Fix DH private key check.
A recent addition removed setting the dh private key length when
a safe prime group is used. The private key validation check was relying on this
being set for safe primes. Setting the upper bound no longer checks the
length if the value is zero.
This caused a failure in the daily build of acvp_tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15760)
Matt Caswell [Mon, 14 Jun 2021 11:08:38 +0000 (12:08 +0100)]
Clean up the encoder/decoder/loader stores before providers
We already had the evp method store being cleaned up before the provider
store was. This prevents issues where the method clean up functions cause
providers to clean up, which then needs access to the provider store. We
extend the same thinking to the encoder/decoder/loader stores.
Fixes #15727
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15741)
Matt Caswell [Wed, 9 Jun 2021 15:10:03 +0000 (16:10 +0100)]
Add documentation for the newly added OBJ up calls
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15681)
Matt Caswell [Wed, 9 Jun 2021 14:50:37 +0000 (15:50 +0100)]
Add a test for the newly added OBJ upcalls
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15681)
Matt Caswell [Wed, 9 Jun 2021 13:05:26 +0000 (14:05 +0100)]
Add various OBJ functions as callbacks
This enables providers to register new OIDs in the same libcrypto instance
as is used by the application.
Fixes #15624
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15681)
Pauli [Mon, 14 Jun 2021 22:32:48 +0000 (08:32 +1000)]
new: update NEWS.md so it is correct.
- Removing the deprecation note for public key commands.
- Fixing the note about ECX and SHAKE in the FIPS provider.
- Noting which KDFs are included.
- Noting which MACs are included.
Fixes #15743
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15746)
Pauli [Mon, 14 Jun 2021 22:30:23 +0000 (08:30 +1000)]
new: update NEWS.md so it is correct.
- Removing the deprecation note for public key commands.
- Fixing the note about ECX and SHAKE in the FIPS provider.
- Noting which KDFs are included.
- Noting which MACs are included.
Fixes #15743
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15746)
Richard Levitte [Thu, 10 Jun 2021 05:31:13 +0000 (07:31 +0200)]
Refactor OSSL_STORE_LOADER_do_all_provided() to behave like OSSL_STORE_LOADER_fetch()
This is refactored to use inner_loader_fetch() without any given name,
which is just there to ensure all decoder implementations are made
into methods, and then use ossl_method_store_do_all() to list them
all.
This also adds the internal ossl_store_loader_do_all_prefetched(),
which can be used if pre-fetching needs to be done separately from
listing all the decoder implementations, or if listing may happen
multiple times.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15604)
Richard Levitte [Wed, 9 Jun 2021 05:50:08 +0000 (07:50 +0200)]
Refactor evp_generic_do_all() to behave like evp_generic_fetch()
This is refactored to use inner_evp_generic_fetch() without any given
name, which is just there to ensure all decoder implementations are
made into methods, and then use ossl_method_store_do_all() to list
them all.
This also adds the internal evp_generic_do_all_prefetched(), which
can be used if pre-fetching needs to be done separately from listing
all the decoder implementations, or if listing may happen multiple
times.
Fixes #15538
Fixes #14837
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15604)
Richard Levitte [Wed, 9 Jun 2021 05:47:41 +0000 (07:47 +0200)]
Refactor OSSL_ENCODER_do_all_provided() to behave like OSSL_ENCODER_fetch()
This is refactored to use inner_ossl_encoder_fetch() without any given
name, which is just there to ensure all encoder implementations are
made into methods, and then use ossl_method_store_do_all() to list
them all.
This also adds the internal ossl_encoder_do_all_prefetched(), which
can be used if pre-fetching needs to be done separately from listing
all the encoder implementations, or if listing may happen multiple
times.
Fixes #15538
Fixes #14837
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15604)
Richard Levitte [Fri, 4 Jun 2021 12:29:07 +0000 (14:29 +0200)]
Refactor OSSL_DECODER_do_all_provided() to behave like OSSL_DECODER_fetch()
This is refactored to use inner_ossl_decoder_fetch() without any given
name, which is just there to ensure all decoder implementations are
made into methods, and then use ossl_method_store_do_all() to list
them all.
This also adds the internal ossl_decoder_do_all_prefetched(), which
can be used if pre-fetching needs to be done separately from listing
all the decoder implementations, or if listing may happen multiple
times.
Fixes #15538
Fixes #14837
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15604)
Hubert Kario [Mon, 14 Jun 2021 11:38:02 +0000 (13:38 +0200)]
s_server: make -rev option easier to find (mention echo)
Since the service is echo-like (see TCP port 7 from RFC 862 or
gnutls-serv --echo), make it easier to find by mentioning "echo" in
the description of it in the help message an man page
Also fixes the man page inconsistency ("sends it back to the server")
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15739)
Richard Levitte [Mon, 14 Jun 2021 07:25:53 +0000 (09:25 +0200)]
CORE: Move away the allocation of the temporary no_cache method store
The responsibility for managing the temporary store for methods from
algorithm implementations flaged "no_store" is moved up to the diverse
method fetching functions. This allows them to allocate it "just in
time", or in other words not at all if there is not such algorithm
implementation.
This makes this temporary store more flexible if it's needed outside
of the core fetching functionality, and slightly faster when this
temporary store isn't necessary at all.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15737)
Lars Immisch [Thu, 5 Mar 2020 10:26:06 +0000 (11:26 +0100)]
Use getauxval on Android with API level > 18
We received analytics that devices of the device family Oppo A37x
are crashing with SIGILL when trying to load libcrypto.so.
These crashes were fixed by using the system-supplied getauxval function.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11257)
Rich Salz [Sun, 13 Jun 2021 14:49:47 +0000 (10:49 -0400)]
Remove "-immedate_renegotiation" option
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
Rich Salz [Fri, 21 May 2021 17:26:33 +0000 (13:26 -0400)]
Move AllowClientRenegotiation tests
Move them from test_renegotiation to renegotiation in ssl_new
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
Pauli [Mon, 14 Jun 2021 11:22:55 +0000 (21:22 +1000)]
cms: free PKEY_CTX
Preventing a memory leak.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15731)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15731)
OSSL_DECODER_CTX_add_extra was calling OSSL_DECODER_do_all_provided in a
loop which was resulting in a large number of calls. Since
OSSL_DECODER_do_all_provided is quite "heavy" this was causing performance
issues.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15716)
Matt Caswell [Tue, 8 Jun 2021 10:49:06 +0000 (11:49 +0100)]
Add a generic SubjectPublicKeyInfo decoder
Previously all the SubjectPublicKeyInfo decoders were specific to a key
type. We would iterate over all them until a match was found for the correct
key type. Each one would fully decode the key before then testing whether
it was a match or not - throwing it away if not. This was very inefficient.
Instead we introduce a generic SubjectPublicKeyInfo decoder which figures
out what type of key is contained within it, before subsequently passing on
the data to a key type specific SubjectPublicKeyInfo decoder.
Fixes #15646
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15662)
Shane Lontis [Thu, 10 Jun 2021 08:14:03 +0000 (18:14 +1000)]
Fix DH/DHX named groups to not overwrite the private key length.
The only reason(s) the DH private key length should be set are:
(1) The user sets it during key generation via EVP_PKEY_CTX_set_params
using OSSL_PKEY_PARAM_DH_PRIV_LEN.
(2) When loading a PKCS3 (DH) key the optional value
'privateValueLength' is set.
Now that the named groups contain a value for 'q' there is no reason to
automatically overwrite the private key length.
Issue detected by @davidmakepeace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15695)
Tomas Mraz [Fri, 11 Jun 2021 10:32:39 +0000 (12:32 +0200)]
When linking to static libssl always link to static libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15714)
Tomas Mraz [Fri, 11 Jun 2021 09:18:54 +0000 (11:18 +0200)]
Do not duplicate symbols between libcrypto and libssl in static builds
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15714)
Tomas Mraz [Thu, 10 Jun 2021 16:27:02 +0000 (18:27 +0200)]
Avoid duplicating prov_running.o in libdefault and libcrypto
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15704)
Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15444)
Tomas Mraz [Thu, 10 Jun 2021 07:58:43 +0000 (09:58 +0200)]
Do not depend on the exact exit failure value of dgst app
On most platforms the EXIT_FAILURE is 1 but on NonStop platform
the EXIT_FAILURE is -1 truncated to 255.
Fixes #15633
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15694)
Shane Lontis [Wed, 9 Jun 2021 07:34:55 +0000 (17:34 +1000)]
Fix s_server app to not report an error when using a non DH certificate.
Fixes #15071
It always tries loading the cert as DH which previously did not produce
an error. The errors are not suppressed for these operations.
The output now matches previous versions of OpenSSL.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15670)
Richard Levitte [Thu, 10 Jun 2021 11:00:54 +0000 (13:00 +0200)]
OpenSSL::Test: Treat SRCDATA directory specially, as it might not exist
Not all tests come with a SRCDATA directory. if it doesn't exist, we
simply drop it from the internal table of directories.
OpenSSL::Test::srcdata_dir() and OpenSSL::Test::srcdata_file() may
return undef in that case. However, recipes shouldn't try to refer to
a non-existing data directory, so if that happens, it's a programming
error and must be corrected.
Fixes #15679
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15700)
Todd Short [Fri, 5 Apr 2019 18:17:22 +0000 (14:17 -0400)]
Optimize session cache flushing
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)