Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15444)
Tomas Mraz [Thu, 10 Jun 2021 07:58:43 +0000 (09:58 +0200)]
Do not depend on the exact exit failure value of dgst app
On most platforms the EXIT_FAILURE is 1 but on NonStop platform
the EXIT_FAILURE is -1 truncated to 255.
Fixes #15633
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15694)
Shane Lontis [Wed, 9 Jun 2021 07:34:55 +0000 (17:34 +1000)]
Fix s_server app to not report an error when using a non DH certificate.
Fixes #15071
It always tries loading the cert as DH which previously did not produce
an error. The errors are not suppressed for these operations.
The output now matches previous versions of OpenSSL.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15670)
Richard Levitte [Thu, 10 Jun 2021 11:00:54 +0000 (13:00 +0200)]
OpenSSL::Test: Treat SRCDATA directory specially, as it might not exist
Not all tests come with a SRCDATA directory. if it doesn't exist, we
simply drop it from the internal table of directories.
OpenSSL::Test::srcdata_dir() and OpenSSL::Test::srcdata_file() may
return undef in that case. However, recipes shouldn't try to refer to
a non-existing data directory, so if that happens, it's a programming
error and must be corrected.
Fixes #15679
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15700)
Todd Short [Fri, 5 Apr 2019 18:17:22 +0000 (14:17 -0400)]
Optimize session cache flushing
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)
Tomas Mraz [Mon, 7 Jun 2021 14:56:20 +0000 (16:56 +0200)]
Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()
Fixes #15647
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15648)
Pauli [Wed, 9 Jun 2021 01:58:48 +0000 (11:58 +1000)]
err: clear flags better when clearing errors.
An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.
Fixes #12530
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15667)
Pauli [Wed, 9 Jun 2021 03:40:54 +0000 (13:40 +1000)]
util: convert SHA* one shots back to being functions
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
Pauli [Wed, 9 Jun 2021 03:40:27 +0000 (13:40 +1000)]
changes: fix woring that mentions SHA* one shot functions are deprecated
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
Pauli [Wed, 9 Jun 2021 03:38:30 +0000 (13:38 +1000)]
sha: convert SHA one shot macros back to being functions
Fixes #15655
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15668)
Richard Levitte [Thu, 27 May 2021 10:44:19 +0000 (12:44 +0200)]
DECODER: Adapt addition of extra decoder implementations
The new PKCS#8 decoder implementation decodes from DER to DER.
OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had to
modify it to walk through all existing decoder implementations, and
filter out those that aren't suitable.
This also turns out to fix the possibility to have more than one extra
decoder implementation that produces the same type of encoding, for
example several different wrapper formats that all decoder into DER.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
Richard Levitte [Thu, 27 May 2021 10:34:03 +0000 (12:34 +0200)]
Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.
The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
Rich Salz [Mon, 7 Jun 2021 16:06:26 +0000 (12:06 -0400)]
Remove I_CAN_LIVE_WITH_LNK4049
Fixes #9332
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15649)
Richard Levitte [Mon, 7 Jun 2021 12:10:17 +0000 (14:10 +0200)]
OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()
rel2abs() doesn't clean the path well enough, which may lead to odd
results when calculating new paths. abs_path() works better for this
sort of thing.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15644)
Matt Caswell [Fri, 4 Jun 2021 13:16:42 +0000 (14:16 +0100)]
Simplify error reporting in X509_PUBKEY_get0()
The X509_PUBKEY_get0() was attempting to recreate any errors that might
have occurred from the earlier decode process when obtaining the EVP_PKEY.
This is brittle at best and the approach would only work with legacy keys.
We remove this and just report an error directly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Fri, 28 May 2021 13:03:25 +0000 (14:03 +0100)]
Use the fips-and-base.cnf config file in CMP tests
Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Fri, 28 May 2021 12:39:17 +0000 (13:39 +0100)]
Mark some priv/public key paris as only available in the default provider
Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Fri, 28 May 2021 10:07:24 +0000 (11:07 +0100)]
Actually use a legacy route in pem_read_bio_key_legacy()
The function pem_read_bio_key_legacy() is a fallback route if we
failed to load a key via a provider. We should be using the legacy
specific d2i functions to force legacy otherwise we end up using a
provider anyway
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Thu, 27 May 2021 17:00:07 +0000 (18:00 +0100)]
Just look for "Unable to load Public Key" if no SM2
The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.
With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Thu, 27 May 2021 15:48:37 +0000 (16:48 +0100)]
Only use the legacy route to decode a public key if we have to
We should use a provider to decode a SubjectPublicKeyInfo structure if
we can. We should only use the legacy route if we are forcing legacy, or
if an ENGINE is in use.
Fixes #15393
Fixes #15327
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Thu, 27 May 2021 15:24:00 +0000 (16:24 +0100)]
Use the right class/tag when decoding an embedded key
When a key (SubjectPublicKeyInfo) is embedded in some other structure
it may use an implicit tag. However the decoders can only handle the
universal class and don't know how to interpret the implicit tag.
Therefore we modify the data into a form the decoders can handle.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Matt Caswell [Fri, 21 May 2021 16:26:35 +0000 (17:26 +0100)]
Fix the expected output of printing certificates
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Daniel Bevenius [Mon, 7 Jun 2021 04:01:54 +0000 (06:01 +0200)]
Add aix64-gcc-as architecture and p2align callback
This commit adds an architecture named aix64-gcc-as which can generate
assembler source code compatible with AIX assembler (as) instead of the
GNU Assembler (gas). This architecture name is then used in a callback
for the .p2align directive which is not available in AIX as.
The motivation for this addition came out of an issue we ran into when
working on upgrading OpenSSL in Node.js. We ran into the following
compilation error on one of the CI machines that uses AIX:
05:39:05 Assembler:
05:39:05 crypto/bn/ppc64-mont-fixed.s: line 4: Error In Syntax
This machine is using AIX Version 7.2 and does not have gas installed
and the .p2align directive is causing this error. After asking around if
it would be possible to install GAS on this machine I learned that AIX
GNU utils are not maintained as well as the native AIX ones and we
(Red Hat/IBM) have run into issues with the GNU utils in the past and if
possible it would be preferable to be able to use the AIX native
assembler.
Refs: https://github.com/nodejs/node/pull/38512
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15638)
Juergen Christ [Wed, 2 Jun 2021 17:33:50 +0000 (19:33 +0200)]
Test EVP_CipherInit sequences and resets
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results. Add some unit tests to cover these rather exotic use
cases.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
Juergen Christ [Fri, 28 May 2021 13:02:52 +0000 (15:02 +0200)]
Fix CipherInit on s390x.
Various different initialization sequences led to bugs on s390x due to caching
and processing during key setting. Since, e.g., the direction does not
necessarily have to be correct during initialization, this produced bugs in
s390x which were not present on other architectures. Fix this by recomputing
the function codes on the fly during updates and final operations.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
Tomas Mraz [Fri, 4 Jun 2021 15:01:24 +0000 (17:01 +0200)]
Elimination of some sources not needed in the FIPS_MODULE
Unfortunately in terms of fips.sources this does not mean much
given the way how the .h files are added via the dependency
information from the compiler.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15622)
Richard Levitte [Wed, 2 Jun 2021 19:19:18 +0000 (21:19 +0200)]
test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()
Even if $server_port isn't touched, it's still a number coming from
configuration. It's therefore not trustable as an indicator that the
ACCEPT line delivered a port number or an error indication.
$accept_msg is used instead to capture the port if there is one, and
be a better indicator of error.
Fixes #15557
Fixes #15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.
Furthermore, the expected result isn't about exit codes, but about
true or false. This is better served by getting the value from
OpenSSL::Test::run(), and checking that value against $expected_result
with Test::More::is().
Fixes #15557
Fixes #15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
Pauli [Fri, 4 Jun 2021 10:14:07 +0000 (20:14 +1000)]
doc: update generated image files
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
Pauli [Fri, 4 Jun 2021 10:13:15 +0000 (20:13 +1000)]
doc: update Graphviz images to have a transparent background
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
Pauli [Fri, 4 Jun 2021 04:25:14 +0000 (14:25 +1000)]
property: improve ossl_property_find_property() function
This function searches a property list for a specific property and returns
a pointer to the definition if found. The existing version was O(n) time,
the improved O(log n).
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15614)