Shane Lontis [Fri, 21 Aug 2020 05:14:42 +0000 (15:14 +1000)]
Fix X509 propq so it does not use references
Fixes #13486
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12700)
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until commit 0e7b1383e, which accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13427
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13590)
Richard Levitte [Mon, 30 Nov 2020 09:44:34 +0000 (10:44 +0100)]
Add test to demonstrate the app's new engine key loading
This adds a bit of functionality in ossltest, so it can now be used to
load PEM files. It takes the file name as key ID, but just to make
sure faults aren't ignored, it requires all file names to be prefixed
with 'ot:'.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13570)
Richard Levitte [Mon, 30 Nov 2020 06:25:46 +0000 (07:25 +0100)]
APPS: Adapt load_key() and load_pubkey() for the engine: loader
These two functions react when the FORMAT_ENGINE format is given, and
use the passed ENGINE |e| and the passed key argument to form a URI
suitable for the engine: loader.
Co-authored-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13570)
Matt Caswell [Tue, 1 Dec 2020 15:19:56 +0000 (15:19 +0000)]
Fix a compile error with the no-sock option
BIO_do_connect() can work even in no-sock builds (non socket based BIOs
have the right ctrls). Therefore we move the macro outside of the
OPENSSL_NO_SOCK guards
Fixes #12207
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13587)
Daiki Ueno [Mon, 26 Oct 2020 12:23:14 +0000 (13:23 +0100)]
openssl dgst: add option to specify output length for XOF
This adds the -xoflen option to control the output length of the XOF
algorithms, such as SHAKE128 and SHAKE256.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13245)
Richard Levitte [Fri, 27 Nov 2020 06:59:02 +0000 (07:59 +0100)]
ENCODER: Don't pass libctx to OSSL_ENCODER_CTX_new_by_EVP_PKEY()
The passed 'pkey' already contains a library context, and the encoder
implementations should be found within the same context, so passing an
explicit library context seems unnecessary, and potentially dangerous.
It should be noted that it's possible to pass an EVP_PKEY with a
legacy internal key. The condition there is that it doesn't have a
library context assigned to it, so the NULL library context is used
automatically, thus requiring that appropriate encoders are available
through that context.
Fixes #13544
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13545)
Ankita Shetty [Tue, 24 Nov 2020 18:55:27 +0000 (19:55 +0100)]
cmp_client.c: Fix indentation and remove empty line
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13488)
Ankita Shetty [Mon, 23 Nov 2020 16:12:33 +0000 (17:12 +0100)]
cmp_client.c: Remove dead code of variable 'txt' in cert_response()
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13488)
Matt Caswell [Thu, 19 Nov 2020 13:58:21 +0000 (13:58 +0000)]
Don't Overflow when printing Thawte Strong Extranet Version
When printing human readable info on the Thawte Strong Extranet extension
the version number could overflow if the version number == LONG_MAX. This
is undefined behaviour.
Issue found by OSSFuzz.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13452)
Shane Lontis [Mon, 16 Nov 2020 02:42:18 +0000 (12:42 +1000)]
Add EVP_KDF-X942 to the fips module
The X942 KDF had been modified so that it supports all optional fields - not
just the fields used by CMS.
As there are 2 types of KDF for X942 - this has been made a bit clearer
by adding an X942KDF-ASN1 alias. X942KDF-CONCAT has also been added as an
alias of X963KDF.
This work was instigated as a result of the ACVP tests optionally being
able to use keybits for the supp_pubinfo field.
Setting the parameter OSSL_KDF_PARAM_X942_USE_KEYBITS to 0 allows this
to be disabled.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13418)
Shane Lontis [Wed, 25 Nov 2020 08:19:27 +0000 (18:19 +1000)]
Fix s390 EDDSA HW support in providers.
Fixes #12476
Note this stopped working when ECX was swapped over to using
providers. The ECX_KEY keygen and exchange were converted, but not the ED
signing support.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/13508)
Tim Hudson [Thu, 26 Nov 2020 02:31:25 +0000 (12:31 +1000)]
Correct system guessing for darwin64-arm64 target
Previously the system guessing logic would incorrectly guess
i686-apple-darwin as the fallback for any unspecified architecture
that is a Darwin target
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13517)
Kelvin Lee [Tue, 1 Dec 2020 13:25:01 +0000 (00:25 +1100)]
Fix simpledynamic.c - a typo and missed a header
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13584)
Richard Levitte [Wed, 25 Nov 2020 06:57:45 +0000 (07:57 +0100)]
TEST: Add a simple module loader, and test the FIPS module with it
This very simple module loader is only linked with the standard C
library, so cannot and should not provide any other symbol to the
module it tries to load. It can thereby be used to verify that the
module it tries to load doesn't have any surprising dependencies when
it's supposed to be self contained.
A test recipe is added to verify the FIPS module with this loader.
Fixes #11020
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13507)
Ard Biesheuvel [Tue, 24 Nov 2020 16:33:31 +0000 (17:33 +0100)]
aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected
by silicon errata #1742098 [0] and #1655431 [1], respectively, where the
second instruction of a AES instruction pair may execute twice if an
interrupt is taken right after the first instruction consumes an input
register of which a single 32-bit lane has been updated the last time it
was modified.
This is not such a rare occurrence as it may seem: in counter mode, only
the least significant 32-bit word is incremented in the absence of a
carry, which makes our counter mode implementation susceptible to these
errata.
So let's shuffle the counter assignments around a bit so that the most
recent updates when the AES instruction pair executes are 128-bit wide.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13504)
Matt Caswell [Fri, 27 Nov 2020 09:55:36 +0000 (09:55 +0000)]
Fix builds that specify both no-dh and no-ec
Various sections of code assumed that at least one of dh or ec would be
available. We also now also need to handle cases where a provider has
a key exchange algorithm and TLS-GROUP that we don't know about.
Fixes #13536
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13549)
Matt Caswell [Wed, 25 Nov 2020 15:18:15 +0000 (15:18 +0000)]
Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT
If OPENSSL_SMALL_FOOTPRINT was defined then the CHACHA20-POLY1305
implementation for TLS went down a different codepath that failed to
adjust the payload length to remove the tag.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13513)
Matt Caswell [Wed, 25 Nov 2020 13:13:24 +0000 (13:13 +0000)]
Fix instances of pointer addition with the NULL pointer
Addition using the NULL pointer (even when adding 0) is undefined
behaviour. Recent versions of ubsan are now complaining about this, so
we fix various instances.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13513)
John Baldwin [Wed, 7 Oct 2020 21:34:19 +0000 (14:34 -0700)]
Allow zero-byte writes to be reported as success.
When using KTLS, empty fragments sent as a mitigation for known-IV
weakenesses in TLS 1.0 are sent as writes of 0 bytes. The TLS header
and trailer are added to the empty fragment by the kernel.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13090)
Richard Levitte [Fri, 27 Nov 2020 07:08:08 +0000 (08:08 +0100)]
TEST: Fix path length in test/ossl_store_test.c
The URI length was set to 80 chars, but the URI being built up may
need more space, all depending on the paths used to get to the files
that are to be loaded. If the result needs more than 80 chars, the
test will fail.
Fixed by using PATH_MAX.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13546)
Liang Liu [Thu, 26 Nov 2020 04:40:13 +0000 (20:40 -0800)]
[DOC]Fix two broken links in INSTALL.md; Change name of zlib flag to the current one.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13519)
J08nY [Thu, 26 Nov 2020 22:39:15 +0000 (23:39 +0100)]
README: Move Travis link to .com from .org.
CLA: trivial
Fixes #12423
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13538)
Richard Levitte [Fri, 20 Nov 2020 21:13:11 +0000 (22:13 +0100)]
ERR: Drop or deprecate dangerous or overly confusing functions
ERR_get_error_line() is deprecated, and ERR_get_error_func() and
ERR_get_error_data() are removed in favor of ERR_get_error_all(),
since they pop the error record, leaving the caller with only partial
error record data and no way to get the rest if the wish.
If it's desirable to retrieve data piecemeal, the caller should
consider using the diverse ERR_peek functions and finish off with
ERR_get_error().
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13466)
Matt Caswell [Tue, 24 Nov 2020 16:45:48 +0000 (16:45 +0000)]
Fix no-engine
If we specify no-engine then this should cascade to also mean
no-dynamic-engine. The store test was only checking whether
dynamic-engine was disabled, meaning that some tests were failing
in a no-engine build.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13502)
Richard Levitte [Thu, 26 Nov 2020 10:58:56 +0000 (11:58 +0100)]
EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available
EVP_PKEY_CTX_set_dsa_ functions were only available when DSA was
enabled ('no-dsa' not configured). However, that makes it impossible
to use these functions with an engine or a provider that happens to
implement DSA. This change solves that problem by shuffling these
functions to more appropriate places.
Fixes #13529
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13530)
ihsinme [Wed, 25 Nov 2020 19:09:33 +0000 (22:09 +0300)]
Update bio_ok.c
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13515)
Matt Caswell [Wed, 25 Nov 2020 10:37:22 +0000 (10:37 +0000)]
Remove d2i_DHparams.pod and move documentation to d2i_RSAPrivateKey.pod
d2i_RSAPrivateKey.pod is the more generic page for these deprecated
functions and provides advice and guidance on how to translate the old
style functions into new ones.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13138)
Shane Lontis [Fri, 27 Nov 2020 04:59:18 +0000 (14:59 +1000)]
Fix no-deprecated configuration
pem_read_depr_test needed to be setup in build info so that it only
exists inside an IF[{- !$disabled{'deprecated-3.0'} -}] block.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13543)
Shane Lontis [Wed, 18 Nov 2020 09:49:19 +0000 (19:49 +1000)]
Fix EVP_CIPHER_CTX_set_padding for legacy path
Fixes #13057
When using an engine, there is no cipher->prov so a call to
EVP_CIPHER_CTX_set_padding() returns an error when
evp_do_ciph_ctx_setparams() is called. For the legacy path it needs to
avoid doing the call and just return 1.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13437)
Daniel Bevenius [Wed, 11 Nov 2020 04:23:11 +0000 (05:23 +0100)]
EVP: don't touch the lock for evp_pkey_downgrade
This commit tries to address a locking issue in evp_pkey_reset_unlocked
which can occur when it is called from evp_pkey_downgrade.
evp_pkey_downgrade will acquire a lock for pk->lock and if successful
then call evp_pkey_reset_unlocked. evp_pkey_reset_unlocked will call
memset on pk, and then create a new lock and set pk->lock to point to
that new lock. I believe there are two problems with this.
The first is that after the call to memset, another thread would try to
acquire a lock for NULL as that is what the value of pk->lock would be
at that point.
The second issue is that after the new lock has been assigned to
pk->lock, that lock is different from the one currently locked so
another thread trying to acquire the lock will succeed which can lead to
strange behaviour. More details and a reproducer can be found in the
Refs link below.
This changes the evp_pkey_reset_unlocked to not touch the lock
and the creation of a new lock is done in EVP_PKEY_new.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13374)
Matt Caswell [Tue, 24 Nov 2020 15:22:25 +0000 (15:22 +0000)]
Fix no-posix-io
The "multi" variable should only be used within HTTP_DAEMON guards.
However there were a few spots where this was not the case, which
causes no-posix-io builds to fail.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13498)
Richard Levitte [Wed, 25 Nov 2020 13:10:29 +0000 (14:10 +0100)]
APPS: Make it possible for apps to set the base (fallback) UI_METHOD
The apps UI method acts as a proxy that bases its activity on a base
(was called fallback) UI_METHOD, which defaults to UI_OpenSSL() under
normal circumstances.
However, some apps might want to have it based on another UI_METHOD,
such as UI_null() to avoid prompting (typical for a -batch run). The
new function set_base_ui_method() allows them to do precisely this.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13512)
Richard Levitte [Mon, 23 Nov 2020 02:03:28 +0000 (03:03 +0100)]
DOC: Add note on how to terminate an OSSL_PARAM array
The examples are also updated to have correct terminators.
doc/man3/OSSL_PARAM.pod is deliberately written with no help from the
constructor macros described in OSSL_PARAM_int.pod. Therefore, use of
OSSL_PARAM_END isn't shown directly here, only leaving a link to its
man-page to indicate that there is that option.
Fixes #11280
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13478)
Matt Caswell [Tue, 24 Nov 2020 14:45:07 +0000 (14:45 +0000)]
Fix no-rc2
Skip a test that relies on RC2 being present in a no-rc2 build.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13496)
Matt Caswell [Mon, 2 Nov 2020 11:04:06 +0000 (11:04 +0000)]
Remove deprecation warning suppression from genpkey
genpkey was supressing deprecation warnings in order to support ENGINE
functionality. We move all of that into a separate file so that we don't
need to suppress the warnings anymore.
Fixes #13118
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13454)
Matt Caswell [Tue, 10 Nov 2020 17:04:02 +0000 (17:04 +0000)]
Re-enable testing of ciphersuites
Commit be9d82bb3 inadvertently disabled ciphersuite testing. This masked
some issues. Therefore we fix this testing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
Matt Caswell [Wed, 11 Nov 2020 11:07:12 +0000 (11:07 +0000)]
Fix RC4-MD5 based ciphersuites
The RC4-MD5 ciphersuites were not removing the length of the MAC when
calculating the length of decrypted TLS data. Since RC4 is a streamed
cipher that doesn't use padding we separate out the concepts of fixed
length TLS data to be removed, and TLS padding.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
Matt Caswell [Tue, 10 Nov 2020 16:01:11 +0000 (16:01 +0000)]
Ensure Stream ciphers know how to remove a TLS MAC
We previously updated the block ciphers to know how to remove a TLS
MAC when using Encrypt-then-MAC. We also need to do the same for stream
ciphers.
Fixes #13363
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
Matt Caswell [Wed, 18 Nov 2020 12:07:43 +0000 (12:07 +0000)]
Test that OSSL_STORE can load various types of params
There have been instances where OSSL_STORE got confused between DSA and
DH params (e.g. see issue #13046) due the DER encoding of DH and DSA params
looking identical. Therefore we test that we get the types that we expect.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13329)
Matt Caswell [Mon, 23 Nov 2020 12:01:34 +0000 (12:01 +0000)]
Undeprecate the -dsaparam option in the dhparam app
The -dsaparam option was deprecated because it was previously using
deprecated functions in order to operate. This is no longer the case
and therefore does not need to be deprecated.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13485)
Richard Levitte [Thu, 12 Nov 2020 08:19:24 +0000 (09:19 +0100)]
Modify the ERR init functions to use the internal ERR string loaders
This deprecates all the ERR_load_ functions, and moves their definition to
separate C source files that can easily be removed when those functions are
finally removed.
This also reduces include/openssl/kdferr.h to include cryptoerr_legacy.h,
moves the declaration of ERR_load_ERR_strings() from include/openssl/err.h
to include/openssl/cryptoerr_legacy.h, and finally removes the declaration
of ERR_load_DSO_strings(), which was entirely internal anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13390)
Richard Levitte [Thu, 12 Nov 2020 08:12:41 +0000 (09:12 +0100)]
ERR: Modify util/mkerr.pl to produce internal err string loaders
This also modifies the .ec L statement to take a third file, which is
the internal header file to declare internal things. This is only
useful for our internal declarations and will not affect engines.
Fixes #10527
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13390)
Matt Caswell [Mon, 23 Nov 2020 16:10:57 +0000 (16:10 +0000)]
Turn on Github CI
As an interim measure until we work out our longer term CI strategy
this PR enables some basic CI tests using the Github CI capability.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13489)
Petr Gotthard [Sun, 22 Nov 2020 16:50:53 +0000 (17:50 +0100)]
Fix double-free in decoder_pkey.c
Fix for the issue #13472. The decoderctx has to be initialized in every
cycle as its constructor may not be called due to lazy evaluation of
the if-condition.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13473)
Richard Levitte [Mon, 23 Nov 2020 01:26:34 +0000 (02:26 +0100)]
TEST: Make our test data binary
Our test data (test/data.txt and test/data2.txt) are text files, but
declaring them binary means that there will be no line ending
transformation done on them. This is necessary for testing on
non-Unix platforms, where certain tests could otherwise give results
that don't match expected results.
Fixes #13474
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13477)