jwalch [Tue, 25 May 2021 23:43:23 +0000 (19:43 -0400)]
Fix OCSP_sendreq_nbio arg order
Fixes #15470
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15471)
Tianjia Zhang [Tue, 25 May 2021 08:52:20 +0000 (16:52 +0800)]
apps: Fix the mismatch of SM2 keys keymgmt
The SM2 key has a separate keymgmt, which is independent of the
EC. The key generated by the subcommand ecparam is wrong. Using
'openssl ec -in sm2.key -noout -text' will also encounter some
errors.
When using the ecparam subcommand to generate the SM2 key, use
the correct keymgmt to solve this problem.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15454)
Richard Levitte [Tue, 25 May 2021 08:29:24 +0000 (10:29 +0200)]
util/fix-doc-nits: Fix link detection in collectnames() to be kinder
The way the links were parsed out of the contents caused a regexp
recursion. The easiest way to deal with it is to find all markup
using $markup_re, and then parsing out the L markups and add them to
the links array.
Fixes #15449
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15450)
Richard Levitte [Mon, 24 May 2021 12:25:28 +0000 (14:25 +0200)]
TEST: Add test specific fipsmodule.cnf, and use it
We add the concept of preparation recipes, which are performed
unconditionally. They are all expected to match the pattern
test/recipes/00-prep_*.t.
We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t,
which helps us generate a test specific fipsmodule.cnf, to be used by
all other tests.
Fixes #15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
Richard Levitte [Mon, 24 May 2021 12:19:38 +0000 (14:19 +0200)]
Build file templates: rework how general dependencies are computed
For some types of targets, we pretty much know what kinds of files all
the dependencies are. For some, however, we can't assume anything,
and are faced with dependencies in platform agnostic form. We need to
find those in diverse places in %unified_info, and deduce from there
how they should be converted to a platform specific form.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
Richard Levitte [Mon, 24 May 2021 12:06:00 +0000 (14:06 +0200)]
Rework how providers/fipsmodule.cnf is produced
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes #15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
Shane Lontis [Tue, 25 May 2021 03:31:44 +0000 (13:31 +1000)]
Fix buffer overflow when generating large RSA keys in FIPS mode.
A pairwise test runs only in FIPS mode.
An assumption about the size of the 'to' buffer passed to
RSA_private_decrypt() was incorrect. It needs to be up to RSA_size()
bytes long - so a fixed buffer of 256 bytes was not large enough.
An exiting malloc has increased in size to allocate buffer space for
both the encrypt and decrypt buffer.
The existing test used 2080 bits which was not quite large enough to
trigger the issue. A test using 3072 bits has been added.
Reported by Mark Powers from Acumen.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15447)
Tom Cosgrove [Mon, 17 May 2021 08:59:57 +0000 (09:59 +0100)]
Fix -static builds on master
Pull in Todd Short's fix cfd7225fbb from 1.1.1, which moves the disabling
of pic, threads and statics to before they are checked.
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15214)
Pauli [Tue, 25 May 2021 02:04:22 +0000 (12:04 +1000)]
err: rename err_load_xxx_strings_int functions
The new names are ossl_err_load_xxx_strings.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15446)
Petr Gotthard [Mon, 24 May 2021 09:40:15 +0000 (11:40 +0200)]
Fix building of test/pbetest.c
The test_pkcs5_pbe() function is required twice:
once `if !defined OPENSSL_NO_RC4 && !defined OPENSSL_NO_MD5`
and once `if !defined OPENSSL_NO_DES && !defined OPENSSL_NO_SHA1`
Hence there should be `||` between those. Currently the build fails
if the first condition is false, while the second is true.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15432)
Jon Spillett [Fri, 14 May 2021 04:46:25 +0000 (14:46 +1000)]
Add special case to skip RC4 reinit
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
Jon Spillett [Fri, 14 May 2021 01:15:25 +0000 (11:15 +1000)]
Add an evp_libctx_test test run for legacy provider
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
Benjamin Kaduk [Fri, 21 May 2021 17:25:00 +0000 (10:25 -0700)]
Allow TLS13_AD_MISSING_EXTENSION for older versions
Add a pass-through switch case for TLS13_AD_MISSING_EXTENSION in
ssl3_alert_code() and tls1_alert_code(), so that the call to
SSLfatal() in final_psk() will always actually generate an alert,
even for non-TLS1.3 protocol versions.
Fixes #15375
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15412)
Tomas Mraz [Mon, 24 May 2021 13:09:50 +0000 (15:09 +0200)]
write-man-symlinks: Write relative symlinks not absolute
Fixes #15424
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15437)
Jan Lana [Mon, 24 May 2021 15:08:09 +0000 (17:08 +0200)]
fix Solaris OS detection in config.pm
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15439)
Richard Levitte [Fri, 21 May 2021 06:26:46 +0000 (08:26 +0200)]
Fix 'openssl req' to be able to use provided keytypes
'openssl req' was still using old APIs that could only deal with
EVP_PKEY_ASN1_METHOD based EVP_PKEYs. Now modified to use more
generic functions that can handle all forms of EVP_PKEY, this app
should be ready for the future.
Fixes #15388
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15400)
Pauli [Mon, 24 May 2021 04:22:17 +0000 (14:22 +1000)]
mac: add a getter for the MAC block size.
Fixes #12342
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15427)
Pauli [Mon, 24 May 2021 04:16:44 +0000 (14:16 +1000)]
test: add evp_tests for the MAC size and block size
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15427)
Pauli [Mon, 24 May 2021 04:15:41 +0000 (14:15 +1000)]
doc: document the MAC block size getter
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15427)
Rich Salz [Sat, 22 May 2021 19:57:07 +0000 (15:57 -0400)]
Remove engine_table_select_int
Add missing file/line args and call it engine_table_select
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15419)
Juergen Christ [Thu, 20 May 2021 11:27:43 +0000 (13:27 +0200)]
Fix warning in gf_serialize
Compiling under -Werror fails in gf_serialize:
crypto/ec/curve448/f_generic.c:21:27: error: argument 1 of type 'uint8_t[56]' {aka 'unsigned char[56]'} with mismatched bound [-Werror=array-parameter=]
21 | void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_hibit)
| ~~~~~~~~^~~~~~~~~~~~~~~~~
In file included from crypto/ec/curve448/f_generic.c:12:
crypto/ec/curve448/field.h:65:28: note: previously declared as 'uint8_t *' {aka 'unsigned char *'}
void gf_serialize(uint8_t *serial, const gf x, int with_highbit);
~~~~~~~~~^~~~~~
Changed parameter to pointer to fix this warning.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15376)
Florian Mickler [Mon, 13 Jan 2020 01:06:49 +0000 (02:06 +0100)]
openssl srp: make index.txt parsing error more verbose
If index.txt exists but has some problems (like for example
consisting of a single \n character or number of fields wrong in one of the lines)
then openssl will just exit. This fixes it by printing an error when
load_index returns null.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15360)
Florian Mickler [Mon, 13 Jan 2020 01:05:22 +0000 (02:05 +0100)]
openssl ocsp: make index.txt parsing error more verbose
If index.txt exists but has some problems (like for example consisting of a single \n character in it,
or some field-number error in one of the lines) openssl will just exit without any error message.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15360)
Matt Caswell [Fri, 21 May 2021 11:21:32 +0000 (12:21 +0100)]
Don't try the same decoder multiple times
The function collect_decoder decides whether a given decoder should be
tried or not. It loops through all the names for matching keymgmts to
see if any are a match or not. If there is a match then the decoder gets
added. However, each keymgmt may have multiple aliases and a decoder was
being added for each one. For example DHX has 4 alias names, and therefore
4 instances of the DHX decoder were added and being tried.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15404)
Matt Caswell [Thu, 20 May 2021 13:02:12 +0000 (14:02 +0100)]
Remove some perl 5.14 use from rsaz-avx512.pl
The non-destructive substitution syntax (s///r), was introduced in perl
5.14. We need to support 5.10 and above.
Fixes #15378
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15379)
Shane Lontis [Fri, 14 May 2021 03:08:42 +0000 (13:08 +1000)]
Rename the field 'provctx and data' to 'algctx' inside some objects containing
pointers to provider size algorithm contexts.
Fixes #14284
The gettable_ctx_params methods were confusingly passing a 'provctx' and
a provider context which are completely different objects.
Some objects such as EVP_KDF used 'data' while others such as EVP_MD used 'provctx'.
For libcrypto this 'ctx' is an opaque ptr returned when a providers algorithm
implementation creates an internal context using a new_ctx() method.
Hence the new name 'algctx'.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15275)
Matt Caswell [Thu, 20 May 2021 10:52:56 +0000 (11:52 +0100)]
Fix a memleak in the FIPS provider
If the DRBG is used within the scope of the FIPS OSSL_provider_init
function then it attempts to register a thread callback via c_thread_start.
However the implementation of c_thread_start assumed that the provider's
provctx was already present. However because OSSL_provider_init is still
running it was actually NULL. This means the thread callback fail to work
correctly and a memory leak resulted.
Instead of having c_thread_start use the provctx as the callback argument
we change the definition of c_thread_start to have an explicit callback
argument to use.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
Richard Levitte [Mon, 17 May 2021 21:10:11 +0000 (23:10 +0200)]
Disable loader_attic by default on VMS
The reason is that it currently doesn't build properly, due to the of
pvkfmt.c, causing multiply defined symbols since libcrypto exports
them as well. At the same time, it can't do without that source file,
or it won't have access to certain internal symbols from there.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15320)
Richard Levitte [Wed, 19 May 2021 08:57:48 +0000 (10:57 +0200)]
Configurations/descrip.mms.tmpl: rework the inclusion hacks
Because VMS C has some trouble with recursive inclusion of header
files, we have had to help it out for object files where there is such
an inclusion structure.
Previously, we did so with temporary logical names that were the same
as the first directory in an inclusion, so for example, to enable this
inclusion (found in ssl/ssl_local.h), we created the logical name
"record" when building any of the object files in the ssl/
subdirectories:
#include "record/record.h"
However, there is another way with the VMS C compiler, to selectively
specify extra include directories in Unix form directly to the
compiler. The logic is that from the directory where the source file
to compile is located, the specified inclusion directory merged with
the inclusion string should be able to access to specified header
file.
So for example, when a file in ssl/record/ is compiled, the following
inclusion is found:
#include "../ssl_local.h"
So far so good, VMS C handles it properly. However, the recursive
inclusion of "record/record.h" fails. However, if the compiler is
helped out a little bit, with the following extra qualifier, then it
works:
/INCLUDE="../"
The reason is that the compiler merges "../" and "record/record.h"
into "../record/record.h", which is the correct path to that header
file from the directory of the source file being compiled.
All that remained was to figure out all places where this trouble may
occur, and specify extra Unix formatted inclusion directories to
specify on per object file basis.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15369)
Pauli [Fri, 21 May 2021 01:19:30 +0000 (11:19 +1000)]
property: convert integers to strings properly.
The int64_t type was converted to int (truncation).
Negative values were not handled at all.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15396)
Richard Levitte [Thu, 20 May 2021 08:31:21 +0000 (10:31 +0200)]
VMS: don't use app_malloc() in apps/lib/vms_decc_argv.c
The reason being that it would otherwise force test programs to link
with all of libapps.a, which unfortunately causes multiple symbol
definition issues.
The quick and dirty fix is to use OPENSSL_malloc() instead of
app_malloc() in apps/lib/vms_decc_argv.c, and clean up libapps.a
later.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15368)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15371)
Richard Levitte [Wed, 19 May 2021 16:51:07 +0000 (18:51 +0200)]
PROV: Relegate most of the FIPS provider code to libfips.a
provider/fips/fipsprov.c contains a number of symbols that get used by
anything that's included in libfips.a, at least on Unix.
Unfortunately, there are platforms that do not support resolving
symbols to things that are already included in the end product (module
in this case) being built; they only support resolving symbols with
what comes next in the linking process.
The offending symbols in this case are FIPS_security_check_enabled,
c_thread_start and ossl_fips_intern_provider_init.
We resolve this by placing provider/fips/fipsprov.c in libfips.a along
with everything else there. That takes care of the offending symbols.
What remains is to ensure that there is an entry point in an object
file used directly when linking the module, providers/fips/fips_entry.c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15370)
Matt Caswell [Tue, 18 May 2021 16:39:56 +0000 (17:39 +0100)]
Cleanup the missing*.txt files
One macro existed that was added since 1.1.1 and was undocumented. This
had been added to missingmacro.txt. This is the wrong approach and so
has been removed from there.
There were some entries in missingcrypto.txt that don't exist as functions
at all. There were also some which were in fact documented.
Additionally 2 entries from missingcrypto.txt have been moved to
missingmacro.txt. These entries existed in 1.1.1 and were undocumented. In
master they have been deprecated and compatibility macros for them
implemented. The replacement functions have been documented.
An entry in missingcrypto111.txt was not in alphabetical order (and was
also) duplicated, but the equivalent entry in missingcrypto.txt was in the
correct place. This has been corrected to make comparisons between the files
easier.
Finally a function has been added to missingcrypto111.txt. This function
did exist in 1.1.1 and was undocumented. Its unclear why this wasn't in
missingcrypto111.txt to start with.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15333)