Richard Levitte [Wed, 2 Jun 2021 04:37:43 +0000 (06:37 +0200)]
ENCODER: use property definitions instead of getting implementation parameters
The OSSL_ENCODER library used to ask each encoder implementation for
certain data in form of parameters to place them correctly in the
encoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.
Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Wed, 2 Jun 2021 04:32:00 +0000 (06:32 +0200)]
ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE
This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Richard Levitte [Tue, 1 Jun 2021 18:04:59 +0000 (20:04 +0200)]
DECODER: use property definitions instead of getting implementation parameters
The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to place them correctly in the
decoder chain, if at all. These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.
Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.
This adds the "global" error reason ERR_R_INVALID_PROPERTY_DEFINITION,
which can be re-used elsewhere.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
Matt Caswell [Thu, 27 May 2021 14:03:06 +0000 (15:03 +0100)]
Ensure libctx/propq is propagated when handling X509_REQ
When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 27 May 2021 09:56:02 +0000 (10:56 +0100)]
Give ASN.1 objects the ability to report their libctx/propq
Some ASN.1 objects have an embedded libctx/propq. If they have one we
give the ASN.1 code the ability to find these values and use them where
needed. This is used for OSSL_CMP_MSG_dup() and X509_dup().
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Tue, 25 May 2021 16:16:18 +0000 (17:16 +0100)]
Teach more of the ASN.1 code about libctx/propq
Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this new
capability for PKCS7.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Fri, 21 May 2021 16:25:05 +0000 (17:25 +0100)]
Teach the ASN.1 code how to create embedded objects with libctx/propq
An ASN.1 object such as an X509 may have embedded objects in it such as
an X509_PUBKEY. If there is a libctx/propq in use then we need to make sure
we pass these down to the constructors of these embedded objects.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Matt Caswell [Thu, 3 Jun 2021 10:08:25 +0000 (11:08 +0100)]
Check that we got the expected name type when verifying name constraints
If a SAN field contains an SmtpUTF8Mailbox name then it is expected to
have a UTF8String type. We should verify that it really does before we
attempt to use the value in it.
Reported by Corey Bonnell
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
Rich Salz [Wed, 2 Jun 2021 13:38:01 +0000 (09:38 -0400)]
Add md-nits task
Assumes that Ruby is installed
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15590)
Matt Caswell [Wed, 2 Jun 2021 16:19:23 +0000 (17:19 +0100)]
Only call dtls1_start_timer() once
The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called directly by dtls1_handle_timeout(). We only need to start the timer
once.
Fixes #15561
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15595)
Matt Caswell [Tue, 25 May 2021 11:38:19 +0000 (12:38 +0100)]
Teach ASN1_item_verify_ctx() how to handle provided keys
We need to special case RSA-PSS because that uses X509_ALGOR style
parameters and we have no support for this on the provider side at this
stage.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15527)
bonniegong [Wed, 2 Jun 2021 07:35:18 +0000 (15:35 +0800)]
Check the return value of ASN1_STRING_length
ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution of OPENSSL_malloc().
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15583)
Jon Spillett [Wed, 2 Jun 2021 01:20:25 +0000 (11:20 +1000)]
80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases
Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)
Shane Lontis [Wed, 2 Jun 2021 04:42:56 +0000 (14:42 +1000)]
Fix errors found by parfait static analyser.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15579)
Pauli [Tue, 1 Jun 2021 08:35:15 +0000 (18:35 +1000)]
rsa: make the maximum key strength check FIPS only.
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.
Fixes #15502
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
Jon Spillett [Mon, 31 May 2021 03:50:02 +0000 (13:50 +1000)]
Add enable-fips to CI configuration
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
Jon Spillett [Mon, 31 May 2021 03:14:24 +0000 (13:14 +1000)]
Disable tracing within the FIPS module
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15537)
Tomas Mraz [Tue, 1 Jun 2021 12:54:43 +0000 (14:54 +0200)]
ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE
Fixes #15552
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
Trev Larock [Fri, 28 May 2021 12:54:44 +0000 (12:54 +0000)]
Modify ssl_handshake_hash to call SSLfatal
When EVP_MD_CTX_new fails call SSLfatal before the goto err.
This resolves a state machine issue on the out of memory condition.
Fixes #15491.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15520)
Tomas Mraz [Mon, 31 May 2021 15:00:38 +0000 (17:00 +0200)]
Make the 00-prep_*.t recipe truly mandatory
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Tomas Mraz [Mon, 31 May 2021 12:22:35 +0000 (14:22 +0200)]
Windows CI: enable fips on shared 64 bit build
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Tomas Mraz [Mon, 31 May 2021 12:18:56 +0000 (14:18 +0200)]
Fix enable-fips builds on Windows
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15550)
Jon Spillett [Tue, 18 May 2021 03:37:35 +0000 (13:37 +1000)]
Pass library context and property query into private key decoders
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Jon Spillett [Thu, 6 May 2021 01:55:42 +0000 (11:55 +1000)]
Fix up encoder/decoder issues caused by not passing a library context to the PKCS8 encrypt/decrypt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
Jon Spillett [Mon, 15 Mar 2021 04:26:09 +0000 (14:26 +1000)]
Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)